From 31dbd5d92835fd47e974a20f80ab1367c778b51b Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Mon, 27 May 2024 16:52:16 +0800 Subject: [PATCH] Sync release from 22.03-SP3 (cherry picked from commit 036441f47a51ba52786658f870006f06f7636e40) --- optimize-80-rules-for-openEuler.patch | 5127 +++++++++++++++++++++++++ scap-security-guide.spec | 12 +- 2 files changed, 5138 insertions(+), 1 deletion(-) create mode 100644 optimize-80-rules-for-openEuler.patch diff --git a/optimize-80-rules-for-openEuler.patch b/optimize-80-rules-for-openEuler.patch new file mode 100644 index 0000000..a9b4e20 --- /dev/null +++ b/optimize-80-rules-for-openEuler.patch @@ -0,0 +1,5127 @@ +From 1c41f3fe392f3e57459d2d54be0fda862ab06d69 Mon Sep 17 00:00:00 2001 +From: qsw333 +Date: Thu, 16 Nov 2023 13:50:38 +0800 +Subject: [PATCH] second + +--- + .../base/service_haveged_enabled/rule.yml | 31 ++ + .../service_dhcpd_disabled/rule.yml | 2 +- + .../service_named_disabled/rule.yml | 2 +- + .../package_httpd_removed/rule.yml | 2 +- + .../package_openldap-clients_removed/rule.yml | 23 ++ + .../service_rpcbind_disabled/rule.yml | 2 +- + .../service_nfs-server_disabled/rule.yml | 33 ++ + .../rule.yml | 2 +- + .../ntpd_service_configure_correctly/rule.yml | 51 +++ + linux_os/guide/services/rsync/group.yml | 9 + + .../rsync/service_rsyncd_disabled/rule.yml | 20 + + .../service_smb_disabled/rule.yml | 2 +- + .../oval/shared.xml | 25 ++ + .../rule.yml | 23 ++ + .../oval/shared.xml | 25 ++ + .../rule.yml | 26 ++ + .../oval/shared.xml | 25 ++ + .../rule.yml | 25 ++ + .../oval/shared.xml | 25 ++ + .../sshd_configure_correct_interface/rule.yml | 26 ++ + .../oval/shared.xml | 25 ++ + .../sshd_disable_AllowTcpForwardindg/rule.yml | 28 ++ + .../oval/shared.xml | 25 ++ + .../sshd_disable_x11_forwarding/rule.yml | 23 ++ + .../sshd_enable_warning_banner/rule.yml | 1 + + .../oval/shared.xml | 54 +++ + .../rule.yml | 25 ++ + .../uninstall_software_service/group.yml | 5 + + .../network_sniffing_tools/rule.yml | 24 ++ + .../rule.yml | 2 +- + .../oval/shared.xml | 53 ++- + .../oval/shared.xml | 50 +++ + .../no_forward_files/oval/shared.xml | 20 + + .../no_forward_files/rule.yml | 31 ++ + .../accounts_tmout/oval/shared.xml | 2 +- + .../accounts_umask_etc_bashrc/oval/shared.xml | 38 ++ + .../rule.yml | 31 ++ + .../rule.yml | 2 +- + .../rule.yml | 3 +- + .../rule.yml | 5 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 3 +- + .../rule.yml | 1 - + .../rule.yml | 1 - + .../rule.yml | 2 +- + .../rule.yml | 1 - + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 2 +- + .../rule.yml | 39 ++ + .../oval/shared.xml | 89 +++++ + .../audit_rules_admin_privilege/rule.yml | 28 ++ + .../oval/shared.xml | 35 ++ + .../audit_rules_media_export/oval/shared.xml | 61 +++ + .../oval/shared.xml | 124 +++++-- + .../oval/shared.xml | 65 ++++ + .../oval/shared.xml | 18 + + .../oval/shared.xml | 18 + + .../oval/shared.xml | 25 ++ + .../rule.yml | 56 +++ + .../oval/shared.xml | 17 + + .../oval/shared.xml | 19 +- + .../auditd_data_retention_space_left/rule.yml | 2 +- + .../oval/shared.xml | 18 + + .../auditing/grub2_audit_argument/rule.yml | 2 +- + .../rule.yml | 2 +- + .../oval/shared.xml | 25 ++ + .../configure_dump_journald_log/rule.yml | 25 ++ + .../rule.yml | 24 ++ + .../configure_rsyslog_log_rotate/rule.yml | 48 +++ + .../configure_service_logging/rule.yml | 26 ++ + .../diasable_root_accessing_system/rule.yml | 50 +++ + .../rsyslog_files_permissions/oval/shared.xml | 1 + + .../oval/shared.xml | 25 ++ + .../rule.yml | 22 ++ + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rsyslog_remote_loghost/oval/shared.xml | 1 + + .../rule.yml | 36 ++ + .../rule.yml | 36 ++ + .../rule.yml | 27 ++ + .../rule.yml | 36 ++ + .../rule.yml | 28 ++ + .../configure_ipatbles_rule_refuse/rule.yml | 27 ++ + .../wireless_disable_interfaces/rule.yml | 2 +- + .../rule.yml | 26 ++ + .../system/network/network_nftables/group.yml | 12 + + .../rule.yml | 31 ++ + .../rule.yml | 29 ++ + .../rule.yml | 24 ++ + .../rule.yml | 28 ++ + .../rule.yml | 25 ++ + .../service_nftables_enabled/rule.yml | 22 ++ + .../define_ld_lib_path_correctly/rule.yml | 41 +++ + .../files/define_path_strictly/rule.yml | 44 +++ + .../no_files_globally_writable_files/rule.yml | 34 ++ + .../rule.yml | 38 ++ + .../rule.yml | 33 ++ + .../partitions_mounted_nodev_mode/rule.yml | 47 +++ + .../partitions_mounted_noexec_mode/rule.yml | 23 ++ + .../partitions_mounted_nosuid_mode/rule.yml | 31 ++ + .../rule.yml | 29 ++ + .../read_only_partitions_no_modified/rule.yml | 21 ++ + .../sysctl_kernel_yama_ptrace_scope/rule.yml | 3 +- + .../rule.yml | 33 ++ + .../system/software/enabled_seccomp/rule.yml | 47 +++ + .../crypto/configure_crypto_policy/rule.yml | 2 +- + .../aide/aide_build_database/oval/shared.xml | 1 + + .../aide/enable_aide_detection/rule.yml | 40 ++ + .../ima_verification/rule.yml | 55 +++ + .../rule.yml | 33 ++ + .../disabled_SysRq/oval/shared.xml | 25 ++ + .../system-tools/disabled_SysRq/rule.yml | 30 ++ + .../uninstall_debugging_tools/rule.yml | 35 ++ + .../rule.yml | 39 ++ + openeuler2203/profiles/standard.profile | 346 +++++++++++++++++- + ...late_OVAL_audit_rules_file_deletion_events | 109 ++++-- + ...audit_rules_unsuccessful_file_modification | 167 +++++++-- + .../template_OVAL_grub2_bootloader_argument | 47 +++ + .../templates/template_OVAL_service_enabled | 7 + + 128 files changed, 3356 insertions(+), 126 deletions(-) + create mode 100644 linux_os/guide/services/base/service_haveged_enabled/rule.yml + create mode 100644 linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml + create mode 100644 linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml + create mode 100644 linux_os/guide/services/ntp/ntpd_service_configure_correctly/rule.yml + create mode 100644 linux_os/guide/services/rsync/group.yml + create mode 100644 linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml + create mode 100644 linux_os/guide/services/uninstall_software_service/group.yml + create mode 100644 linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/configure_dump_journald_log/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml + create mode 100644 linux_os/guide/system/logging/configure_service_logging/rule.yml + create mode 100644 linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml + create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml + create mode 100644 linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml + create mode 100644 linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/configure_ipatbles_rule_refuse/rule.yml + create mode 100644 linux_os/guide/system/network/network_interface_binding_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/group.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml + create mode 100644 linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/define_path_strictly/rule.yml + create mode 100644 linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml + create mode 100644 linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml + create mode 100644 linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml + create mode 100644 linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml + create mode 100644 linux_os/guide/system/software/enabled_seccomp/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml + create mode 100644 linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml + create mode 100644 linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml + create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml + create mode 100644 linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml + create mode 100644 linux_os/guide/system/software/uninstall_debugging_tools/rule.yml + create mode 100644 linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml + +diff --git a/linux_os/guide/services/base/service_haveged_enabled/rule.yml b/linux_os/guide/services/base/service_haveged_enabled/rule.yml +new file mode 100644 +index 0000000..a2e373a +--- /dev/null ++++ b/linux_os/guide/services/base/service_haveged_enabled/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Enable haveged service' ++ ++description: |- ++ The haveged service provides an easy-to-use, unpredictable random number ++ generator. The generated random numbers are used to supplement the system ++ entropy pool, which can solve the problem of low system entropy in some ++ cases. It is recommended to enable this service in scenarios where encryption, ++ decryption or key generation is required (such as using openssl and gnutls). ++ ++ If the haveged service is not turned on, when the process that needs to ++ generate strong pseudo-random numbers gets values from /dev/random, it will ++ be stuck in waiting because it cannot get enough values, and will not return ++ until new random bytes are obtained. ++ ++severity: low ++ ++rationale: |- ++ none. ++ ++ocil: '{{{ ocil_service_disabled(service="haveged") }}}' ++ ++platform: machine ++ ++template: ++ name: service_enabled ++ vars: ++ servicename: haveged +\ No newline at end of file +diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +index efe3519..4d41613 100644 +--- a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml ++++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_dhcpd_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Disable DHCP Service' + +diff --git a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +index 62c1bf0..7add584 100644 +--- a/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml ++++ b/linux_os/guide/services/dns/disabling_dns_server/service_named_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Disable named Service' + +diff --git a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +index b9a6437..8156243 100644 +--- a/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml ++++ b/linux_os/guide/services/http/disabling_httpd/package_httpd_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Uninstall httpd Package' + +diff --git a/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +new file mode 100644 +index 0000000..717c04b +--- /dev/null ++++ b/linux_os/guide/services/ldap/openldap_client/package_openldap-clients_removed/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Remove LDAP Client' ++ ++description: |- ++ LDAP (Lightweight Directory Access Protocol) is a lightweight directory ++ access protocol that provides access control and maintains distributed ++ directory information. ++ ++rationale: |- ++ Providing an LDAP client (openldap-clients) in the system can cause ++ waste of system resources and expand the scope of attacks. If the business ++ scenario does not require the use of LDAP services, it is prohibited to ++ install the LDAP client. ++ ++severity: high ++ ++template: ++ name: package_removed ++ vars: ++ pkgname: openldap-clients +\ No newline at end of file +diff --git a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +index 902117f..9bd2182 100644 +--- a/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/service_rpcbind_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Disable rpcbind Service' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml +new file mode 100644 +index 0000000..32a4889 +--- /dev/null ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/service_nfs-server_disabled/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: fedora,rhel6,rhel7,rhel8,openeuler2203 ++ ++title: 'Disable Network File System (nfs) Service' ++ ++description: |- ++ Network File System (NFS) is one of the oldest and most widely distributed ++ file systems in UNIX environments. It provides the system with the ability ++ to mount other servers' file systems over the network. If the system does ++ not export NFS shares, it is recommended to disable NFS to reduce the remote ++ attack surface.. ++ {{{ describe_service_disable(service="nfs-server") }}} ++ ++rationale: |- ++ 'Disabling NFS affects services and applications on the system that rely on NFS, ++ as well as existing NFS mount points. Before disabling NFS, you should make sure ++ you understand the usage on your system and consider whether there are alternatives ++ to meet your file sharing and data access needs.' ++ ++severity: low ++ ++ocil_clause: 'it does not' ++ ++ocil: '{{{ ocil_service_disabled(service="nfs") }}}' ++ ++platform: machine ++ ++template: ++ name: service_disabled ++ vars: ++ servicename: nfs-server ++ packagename: nfs-utils +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +index 1381b06..437d72a 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,openeuler2203,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 + + title: 'Specify a Remote NTP Server' + +diff --git a/linux_os/guide/services/ntp/ntpd_service_configure_correctly/rule.yml b/linux_os/guide/services/ntp/ntpd_service_configure_correctly/rule.yml +new file mode 100644 +index 0000000..c354f5b +--- /dev/null ++++ b/linux_os/guide/services/ntp/ntpd_service_configure_correctly/rule.yml +@@ -0,0 +1,51 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Correctly configure the ntpd service' ++ ++description: |- ++

In a cluster scenario, it is critical that the server time is accurate and ++ consistent. For example, when the time is inconsistent, the data generated ++ between different servers may produce inaccurate results when sorted or ++ compared based on time.

++ ++

If a Linux server has been running for a long time, time errors will occur. ++ Therefore, even if we use the date command to configure all server times to ++ be consistent initially, as time goes by, the server time will still be ++ inaccurate and inconsistent. Therefore, in order to ensure that the time of ++ all machines in the environment is synchronized and accurate, there must be ++ a time server that can be synchronized, and other servers in the network ++ will synchronize time to this server.

++ ++

It can not be scanned automatically, please check it manually.

++

Check ntpd configure use below command.

++ ++rationale: |- ++

When using the ntpd service to achieve time synchronization, if the ntpd ++ service is not configured correctly, the server time may be inaccurate, ++ resulting in inconsistent times between different servers.

++ ++

When the server time is inaccurate, there will be big problems for time-sensitive ++ data such as finance and orders. For example, time inaccuracies may cause a ++ piece of accounting data to fall into the wrong financial period, resulting in ++ an uneven balance sheet at the end of the period.

++ ++

When the time between servers is inconsistent, there will be a deviation ++ in the time of the packets generated by each host. If there is a certain ++ processing order of data flows between multiple servers, and the server time ++ of the latter link is less than the time of the previous server, it may cause ++ The received packet is discarded because the time is greater than the local ++ time.

++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/rsync/group.yml b/linux_os/guide/services/rsync/group.yml +new file mode 100644 +index 0000000..0482394 +--- /dev/null ++++ b/linux_os/guide/services/rsync/group.yml +@@ -0,0 +1,9 @@ ++documentation_complete: true ++ ++title: 'Rsync Server' ++ ++description: |- ++ The rsync service can be used to synchronize data between ++ servers or between different Disk partitioning on the server, ++ but because rsync uses an unencrypted transmission protocol, ++ there is a risk of information disclosure. +\ No newline at end of file +diff --git a/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml +new file mode 100644 +index 0000000..09a17a9 +--- /dev/null ++++ b/linux_os/guide/services/rsync/service_rsyncd_disabled/rule.yml +@@ -0,0 +1,20 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disable Rsync Server Software' ++ ++description: '{{{ describe_service_disable(service="rsync") }}}' ++ ++rationale: |- ++ If the rsync service is enabled and data is transmitted between ++ different servers through the network, attackers can steal data ++ by listening to server ports, routers, and switch data packets. ++ ++severity: high ++ ++template: ++ name: service_disabled ++ vars: ++ servicename: rsyncd ++ packagename: rsync +\ No newline at end of file +diff --git a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +index aec5800..c13311f 100644 +--- a/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml ++++ b/linux_os/guide/services/smb/disabling_samba/service_smb_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhel6,rhel7,rhel8 ++prodtype: rhel6,rhel7,rhel8,openeuler2203 + + title: 'Disable Samba' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml +new file mode 100644 +index 0000000..e6c1a0e +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ SSH concurrent unauthenticated connections should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the specified IP address for SSH connection. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^maxstartups\s+\d+:\d+:\d+$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml +new file mode 100644 +index 0000000..cba25f2 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_concurrent_unauthenticated_connections/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'SSH concurrent unauthenticated connections should be configured correctly' ++ ++description: |- ++ Attackers can consume system resources by establishing a large number of ++ concurrent connections with incomplete authentication without knowing the ++ password. ++ ++

Use the grep command to view the configuration.

++ ++ ++rationale: |- ++ The MaxStartups setting specifies the maximum number of concurrent unauthenticated ++ connections to the SSH daemon. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml +new file mode 100644 +index 0000000..916fe29 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ The allowed number of concurrent sessions for a single SSH connection should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the allowed number of concurrent sessions. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^MaxSessions\s+\d+$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml +new file mode 100644 +index 0000000..e7daae7 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_concurrent_sessions/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'The allowed number of concurrent sessions for a single SSH connection should be configured correctly' ++ ++description: |- ++ SSH allows clients that support multiplexing to establish multiple sessions ++ based on a single network connection. MaxSessions limits the number of SSH ++ concurrent sessions allowed for each network connection, which can prevent ++ system resources from being unlimited occupied by a single or a few connections, ++ leading to denial of service attacks. ++ ++

Use the grep command to view the configuration.

++ ++ ++rationale: |- ++ Setting MaxSessions to 1 will disable session multiplexing, meaning that only ++ one session is allowed for a connection, while setting it to 0 will block all ++ connected sessions. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml +new file mode 100644 +index 0000000..fb79aff +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ LoginGraceTime should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the LoginGraceTime for SSH connection. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^LoginGraceTime\s+\d+$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml +new file mode 100644 +index 0000000..b02eb1f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_LoginGraceTime/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'LoginGraceTime should be configured correctly' ++ ++description: |- ++ LoginGraceTime is used to limit the user's login time. If the user ++ fails to complete the login action within the time limit specified ++ by LoginGraceTime, the connection will be automatically disconnected. ++ ++

Use the grep command to view the configuration.

++ ++ ++rationale: |- ++ It is recommended to set this value to less than or equal to 60 seconds. ++ If the value is set too high, attackers can utilize a large number of ++ incomplete login actions to consume server resources, resulting in normal ++ administrator login failures. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml +new file mode 100644 +index 0000000..47510c8 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ SSH service interface should be configured correctly ++ ++ multi_platform_openeuler ++ ++ Configure the specified IP address for SSH connection. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^ListenAddress\s+((?:\d{1,3}\.){3}\d{1,3})$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml +new file mode 100644 +index 0000000..3f4490b +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_configure_correct_interface/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'SSH service interface should be configured correctly' ++ ++description: |- ++ Generally, the server has multiple network cards and multiple ++ IP addresses. IP addresses should be planned for business and ++ management. Therefore, not every IP address needs to listen for ++ SSH connections. You can configure to limit SSH connections to ++ only specified IP addresses to reduce the attack surface. ++ ++

If the listening address has been configured, you can query the corresponding configuration through the grep command.

++ ++ ++ ++rationale: |- ++ Unconfigured IP addresses cannot connect to the server through SSH. ++ It is recommended to plan and configure according to the actual situation. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml +new file mode 100644 +index 0000000..9146f4c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Does not allow the use of AllowTcpForwarding ++ ++ multi_platform_openeuler ++ ++ Sshd does not allow the use of AllowTcpForwarding. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^AllowTcpForwarding\s+no$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml +new file mode 100644 +index 0000000..eebb3b2 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_AllowTcpForwardindg/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Does not allow the use of AllowTcpForwarding' ++ ++description: |- ++ AllowTcpForwarding allows the SSH server to act as a proxy to forward TCP requests from ++ clients, similar to establishing an SSH tunnel between the server and the client. This ++ feature may cause the client to attack other servers from the external network through ++ the SSH channel. ++ ++

Make sure SSH's AllowTcpForwarding parameter is configured correctly.

++ ++ ++rationale: |- ++ If AllowTcpForwarding is configured as yes, attackers can bypass firewall monitoring on ++ the client through the SSH channel and send attack commands to the intranet server where ++ the SSH server is located, thereby attacking it. So AllowTcpForwarding must be closed. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml +new file mode 100644 +index 0000000..5f4d777 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Does not allow the use of X11 Forwarding ++ ++ multi_platform_openeuler ++ ++ Sshd does not allow the use of X11 Forwarding. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^X11Forwarding\s+no$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +new file mode 100644 +index 0000000..c301259 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Does not allow the use of X11 Forwarding' ++ ++description: |- ++ The X11 Forwarding feature of SSH allows for the execution of GUI programs for remote ++ hosts on the local host. If not required in the business scenario, this feature must ++ be disabled. ++ ++

Use the grep command to view the configuration.

++ ++ ++rationale: |- ++ Enabling the X11 Forwarding function expands the scope of attacks and poses a possibility ++ of being attacked by other users on the X11 server. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +index f32287f..5ebb89d 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +@@ -52,3 +52,4 @@ template: + parameter: Banner + rule_id: sshd_enable_warning_banner + value: /etc/issue ++ value@openeuler2203: /etc/issue.net +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml +new file mode 100644 +index 0000000..2939bf9 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/oval/shared.xml +@@ -0,0 +1,54 @@ ++ ++ ++ ++ Prohibit SSH service pre setting authorized_Keys ++ ++ multi_platform_openeuler ++ ++ Prohibit SSH service shuold setting authorized_Keys ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /root/.* ++ authorized_keys ++ .* ++ 1 ++ ++ ++ ++ /home/.* ++ authorized_keys ++ .* ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml +new file mode 100644 +index 0000000..145f45d +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_prohibit_preset_authorized_keys/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Prohibit SSH service pre setting authorized_Keys' ++ ++description: |- ++ Authorized_ Keys is the public key of the remote host, which users can ++ store in their home directory $HOME/. ssh/authorized_ In the keys file, ++ for public key authentication, you can directly log in to the system. ++ ++

Use the grep command to view the configuration. If the return value is empty, it means authorized_keys is not preset:

++ ++ ++rationale: |- ++ If authorized is preset in the system_ Keys, and the server has enabled ++ the login method of public and private key authentication, allowing ++ attackers to bypass authentication and directly log in to the specified ++ system to attack it. So authorized cannot be preset in the system_ Keys. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/services/uninstall_software_service/group.yml b/linux_os/guide/services/uninstall_software_service/group.yml +new file mode 100644 +index 0000000..0a269ba +--- /dev/null ++++ b/linux_os/guide/services/uninstall_software_service/group.yml +@@ -0,0 +1,5 @@ ++documentation_complete: true ++ ++title: 'Do not install some software packages.' ++ ++description: |- +\ No newline at end of file +diff --git a/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml +new file mode 100644 +index 0000000..3afd602 +--- /dev/null ++++ b/linux_os/guide/services/uninstall_software_service/network_sniffing_tools/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Uninstall network sniffing Package' ++ ++description: |- ++ If the production environment contains network sniffing tools, attackers ++ can easily use these tools to conduct network analysis and assist network ++ attacks. Therefore, installation of various network sniffing and packet ++ capture analysis tools, such as tcpdump, ethereal, wireshark, etc., should ++ be prohibited in the production environment. ++ ++

It can not be scanned automatically,please check it manually.

++

check the network_sniffing_tools,such as wireshark,netcat,tcpdump,namp,ethereal:

++ ++ ++rationale: |- ++ There is no need to install various network sniffing and packet capture ++ analysis tools in the production environment. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index 84a64db..625f15d 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Remove the X Windows Package Group' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml +index 0139186..42c587f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml +@@ -7,6 +7,14 @@ + + The number of allowed failed logins should be set correctly. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ {{% else %}} + + +@@ -31,6 +39,7 @@ + + + ++ {{% endif %}} + + + + {{% if product in ["openeuler2203"] %}} +- [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] ++ ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authsucc\s+audit\s+deny=[0-3]*.*$ + {{% else %}} + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + {{% endif %}} +@@ -184,7 +193,7 @@ + + {{% if product in ["openeuler2203"] %}} +- [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*audit[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] ++ ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authsucc\s+audit\s+deny=[0-3]*.*$ + {{% else %}} + [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] + {{% endif %}} +@@ -223,4 +232,44 @@ + 1 + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^\s*auth\s+(?:(?:required))\s+pam_faillock.so\s+.*deny=[0-3].*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/system-auth ++ ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+.*deny=[0-3].*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/password-auth ++ ^\s*auth\s+(?:(?:required))\s+pam_faillock.so\s+.*deny=[0-3].*$ ++ 1 ++ ++ ++ ++ /etc/pam.d/password-auth ++ ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+.*deny=[0-3].*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml +index 13bbae4..4a7b660 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/oval/shared.xml +@@ -1,9 +1,22 @@ + + + {{{ oval_metadata("Check dictcheck in pwquality") }}} ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + + + + ++ ++ ++ ++ ++ ++ /etc/pam\.d/system-auth ++ [\s]*password[\s]*requisite[\s]* pam_pwquality\.so[\s]*.* ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/pam\.d/system-auth ++ [\s]*password[\s]*requisite[\s]* pam_pwquality\.so[\s]*.*dictcheck[\s]*=[\s]*0.* ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/pam\.d/password-auth ++ [\s]*password[\s]*requisite[\s]* pam_pwquality\.so[\s]*.* ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/pam\.d/password-auth ++ [\s]*password[\s]*requisite[\s]* pam_pwquality\.so[\s]*.*dictcheck[\s]*=[\s]*0.* ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml +new file mode 100644 +index 0000000..eab54dd +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/oval/shared.xml +@@ -0,0 +1,20 @@ ++ ++ ++ ++ Verify No forward Files Exist ++ {{{- oval_affected(products) }}} ++ If there are no related email forwarding scenarios, it is recommended to delete the .forward file. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /home ++ ^\.forward$ ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +new file mode 100644 +index 0000000..92ca05a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_forward_files/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Verify No forward Files Exist' ++ ++description: |- ++ The .forward file can be configured with an email address, which ++ will be automatically forwarded to when users receive emails. If there are ++ no related email forwarding scenarios, it is recommended to delete the ++ .forward file. ++ ++

Use the following script to check:

++ ++ ++rationale: |- ++ If there is a .forward file, it may cause user emails carrying ++ sensitive information to be automatically forwarded to high-risk mailboxes. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml +index bcb50bd..d80e762 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml +@@ -36,7 +36,7 @@ + {{% if filepath %}} + {{{ filepath }}} + {{% endif %}} +- ^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ ++ [\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ + 1 + + {{% endmacro %}} +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml +index 9bbd226..0bd0ac1 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml +@@ -10,11 +10,21 @@ + + The default umask for users of the bash shell + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} + + + + ++ {{% endif %}} + + + + + ++ ++ ++ ++ ++ /etc/bashrc ++ [\s]*umask[\s]*0077[\s]* ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/home/.*\.bashrc$ ++ [\s]*umask[\s]*0077[\s]* ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/home/.*$ ++ ^.bashrc$ ++ .* ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml +new file mode 100644 +index 0000000..6ba68e8 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure file access permissions audit rules' ++ ++description: |- ++ File access permission control is the basic permission management in Linux. Different users ++ are authorized to access different files, preventing the leakage of sensitive information ++ between users or the tampering of file data. It can also prevent ordinary users from ++ unauthorized access to high-privilege files or configurations in the system. ++ ++ It is recommended to audit and monitor system calls that modify file permissions and file ++ owners in the operating system. If relevant auditing is not configured, if illegal ++ modification occurs, it will not be conducive to traceability. ++ ++ openEuler does not configure file access control permission audit rules by default. It is ++ recommended that users configure corresponding rules based on actual business scenarios. ++ ++

Check the configuration with the following command:

++ ++rationale: |- ++ Configuring auditing, because audit logs need to be recorded when file permissions and owners ++ are modified, will have a slight impact on performance. However, since such operations should ++ not be performed frequently, it is actually not perceptible to users. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml +index 948c5a8..2f1e9ab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - chmod' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml +index b007a5b..dde40d2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_chown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Ownership Changes to Files - chown' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml +index b6e94e8..4295c8d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmod/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - fchmod' + +@@ -42,5 +42,4 @@ warnings: + Note that these rules can be configured in a + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system +- calls with others as identifying earlier in this guide is more efficient. +- ++ calls with others as identifying earlier in this guide is more efficient. +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml +index 99f23dc..6ff406c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchmodat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - fchmodat' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml +index ba8ab84..d115f99 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Ownership Changes to Files - fchown' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml +index 1f14d0e..8c58434 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fchownat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Ownership Changes to Files - fchownat' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml +index 1ae3563..3107f57 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fremovexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - fremovexattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml +index 32036d7..240d5fd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_fsetxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - fsetxattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml +index 3da880e..8ee14ab 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lchown/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Ownership Changes to Files - lchown' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml +index d614542..365e3fb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lremovexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - lremovexattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml +index 99d8c06..abf165a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_lsetxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - lsetxattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml +index d9c4de1..233d283 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_removexattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - removexattr' + +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml +index 1a9c10d..b2bf48a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_rename/rule.yml +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml +index 674cf98..66fcc91 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_renameat/rule.yml +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml +index 118da61..015562b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_setxattr/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ol7,ol8,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Record Successful Permission Changes to Files - setxattr' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml +index b8734a0..27782c6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_successful_file_modification_unlink/rule.yml +@@ -43,4 +43,3 @@ warnings: + number of ways while still achieving the desired effect. Here the system calls + have been placed independent of other system calls. Grouping these system + calls with others as identifying earlier in this guide is more efficient. +- +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index ebd52e2..2e7f907 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Record Unsuccessful Access Attempts to Files - creat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index 3634935..cac6a0d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Record Unsuccessful Access Attempts to Files - ftruncate' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index 8d813fa..425ecb7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Record Unsuccessful Access Attempts to Files - open' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index e8ec755..20b4d42 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Record Unsuccessful Access Attempts to Files - openat' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml +new file mode 100644 +index 0000000..1e4f780 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privilege_escalation_command/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Privilege escalation command audit rules should be configured' ++ ++description: |- ++ Ordinary users can obtain super administrator privileges by calling privilege ++ escalation commands (with SUID/SGID set). ++ ++

It is recommended to audit and monitor privilege escalation commands to facilitate ++ traceability afterwards.

++

openEuler does not configure audit rules for privilege escalation commands by ++ default. It is recommended that users configure corresponding rules based on actual ++ business scenarios.

++

It can not be scanned automatically, please check it manually.

++ ++ ++rationale: |- ++ The use of privilege escalation ++ commands carries high risks and is often used by attackers to attack the system. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml +new file mode 100644 +index 0000000..abf76c2 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/oval/shared.xml +@@ -0,0 +1,89 @@ ++ ++ ++ ++ Audit rules for administrator privileged operations should be configured ++ {{{- oval_affected(products) }}} ++ Configure audit rules for administrator privileged operations ++ ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% endif %}} ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]+sudo\.log[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/sudoers ++ [\s]*Defaults[\s]*logfile[\s]*=[\s]*/var/log/sudo\.log[\s]* ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]/var/log/sudo\.log[\s]\-p[\s]*wa[\s]*\-k.* ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]/var/log/sudo\.log[\s]\-p[\s]*wa[\s]*\-k.* ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml +new file mode 100644 +index 0000000..63304a8 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_admin_privilege/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++title: 'Audit rules for administrator privileged operations should be configured' ++ ++description: |- ++ ++ The sudo extraction command operation log in the openEuler system is recorded ++ in the /var/log/secure log file by default. Other authentication-related security ++ logs are also recorded in this file. If the user wants to audit the sudo extraction ++ command, it is recommended that the sudo related logs be Record separately and ++ output to /var/log/sudo.log, and then audit and monitor the sudo log file. ++ ++ openEuler does not configure audit rules for administrator privileged operations ++ by default. It is recommended that users configure corresponding rules based on ++ actual business scenarios. ++ ++

Check the audit rules for administrator privileged operations by running the following command.

++ ++rationale: |- ++ Sudo ++ privilege escalation is a high-risk operation and is relatively common in attacks. It ++ is recommended to configure audit rules for later tracing. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml +index f02f22b..c514207 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml +@@ -5,7 +5,23 @@ + {{{- oval_affected(products) }}} + Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + ++ ++ {{% else %}} + + + +@@ -21,6 +37,7 @@ + + + ++ {{% endif %}} + + + +@@ -41,4 +58,22 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^\-w[\s]+(/etc/selinux|/etc/selinux/)[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^\-w[\s]+(/etc/selinux|/etc/selinux/)[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml +index 1ba55ad..511d635 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_media_export/oval/shared.xml +@@ -5,6 +5,30 @@ + {{{- oval_affected(products) }}} + Audit rules that detect the mounting of filesystems should be enabled. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} + + + +@@ -27,6 +51,7 @@ + + + ++ {{% endif %}} + + + +@@ -64,4 +89,40 @@ + ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>={{{ auid }}}\s+\-F\s+auid!=(?:4294967295|unset)\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ + 1 + ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])).*(-k[\s]+|-F[\s]+auid!=).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])).*(-k[\s]+|-F[\s]+auid!=).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])).*(-k[\s]+|-F[\s]+auid!=).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])).*(-k[\s]+|-F[\s]+auid!=).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml +index 05a5723..82d89e2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml +@@ -6,32 +6,74 @@ + The network environment should not be modified by anything other than + administrator action. Any change to network parameters should be audited. + ++ {{% if product in ['openeuler2203'] %}} ++ + +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% else %}} ++ + +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% endif %}} + + + +@@ -106,4 +148,40 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(setdomainname|sethostname|hosts|issue).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(setdomainname|sethostname|hosts|issue).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(setdomainname|sethostname|hosts|issue).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(setdomainname|sethostname|hosts|issue).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml +index 9cf46d4..9c8315a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml +@@ -5,7 +5,35 @@ + {{{- oval_affected(products) }}} + Record attempts to alter time through clock_settime. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + ++ ++ {{% else %}} + + + +@@ -33,6 +61,7 @@ + + + ++ {{% endif %}} + + + +@@ -71,4 +100,40 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml +index dce9b83..7119868 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml +@@ -6,12 +6,30 @@ + disk_error_action setting in /etc/audit/auditd.conf is set to a certain action + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + + ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ ++ 1 ++ ++ + + + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml +index 775c354..88e649a 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml +@@ -6,12 +6,30 @@ + disk_full_action setting in /etc/audit/auditd.conf is set to a certain action + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + + ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ ++ 1 ++ ++ + + + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml +new file mode 100644 +index 0000000..bf0b651 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ auditd data retention admin space left ++ ++ multi_platform_openeuler ++ ++ auditd data retention admin space left. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ^[\s]*admin_space_left[\s]+=[\s]+(\d+)[\s]*$ ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml +new file mode 100644 +index 0000000..2c9273d +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left/rule.yml +@@ -0,0 +1,56 @@ ++documentation_complete: true ++ ++title: 'Configure auditd admin_space_left on Low Disk Space' ++ ++description: |- ++ The auditd service can be configured to take an action ++ when disk space is running low but prior to running out of space completely. ++ Edit the file /etc/audit/auditd.conf. Add or modify the following line, ++ substituting ACTION appropriately: ++ 
admin_space_left_action = ACTION
++ Set this value to single to cause the system to switch to single user ++ mode for corrective action. Acceptable values also include suspend and ++ halt. For certain systems, the need for availability ++ outweighs the need to log all actions, and a different setting should be ++ determined. Details regarding all possible values for ACTION are described in the ++ auditd.conf man page. ++ ++rationale: |- ++ Administrators should be made aware of an inability to record ++ audit records. If a separate partition or logical volume of adequate size ++ is used, running low on space for audit records should never occur. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel6: 27239-3 ++ cce@rhel7: 27370-6 ++ cce@rhel8: 80679-4 ++ cce@ocp4: 82677-6 ++ ++references: ++ stigid@rhel6: "000163" ++ srg@rhel6: SRG-OS-999999 ++ cis: 5.2.1.2 ++ cjis: 5.4.1.1 ++ cui: 3.3.1 ++ disa: 140,1343 ++ hipaa: 164.312(a)(2)(ii) ++ iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 ++ nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) ++ nist-csf: DE.AE-3,DE.AE-5,PR.DS-4,PR.PT-1,RS.AN-1,RS.AN-4 ++ pcidss: Req-10.7 ++ stigid@rhel7: "030340" ++ isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 7.1,SR 7.2' ++ isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 ++ cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 ++ cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 ++ ++ocil_clause: 'the system is not configured to switch to single user mode for corrective action' ++ ++ocil: |- ++ Inspect /etc/audit/auditd.conf and locate the following line to ++ determine if the system is configured to either suspend, switch to single user mode, ++ or halt when disk space has run low: ++ 
admin_space_left_action single
++ +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml +index ce56d0e..e232b18 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml +@@ -6,11 +6,28 @@ + admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ ++ 1 ++ + + + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml +index 294fdbd..4a4c42e 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml +@@ -6,12 +6,29 @@ + space_left setting in /etc/audit/auditd.conf is set to at least a certain value + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + +- ++ {{% endif %}} + + ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[\s]*space_left[\s]+=[\s]+(\d+)[\s]*$ ++ 1 ++ ++ + + + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index cb1ff1d..080e1ee 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ocp4,rhel6,rhel7,rhel8,rhv4,wrlinux1019,openeuler2203 + + title: 'Configure auditd space_left on Low Disk Space' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml +index 50735c1..4f20c64 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml +@@ -6,11 +6,29 @@ + space_left_action setting in /etc/audit/auditd.conf is set to a certain action + + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ {{% else %}} + + + ++ {{% endif %}} + + ++ ++ ++ ++ ++ ++ ++ /etc/audit/auditd.conf ++ ++ ++ ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ ++ 1 ++ + + + +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index 2c17ee1..0f4cdf0 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' + +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index 36f3200..34ca8aa 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8 ++prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,openeuler2203 + + title: 'Extend Audit Backlog Limit for the Audit Daemon' + +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml +new file mode 100644 +index 0000000..1e95b34 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Make sure rsyslog dump journald log is configured ++ ++ multi_platform_openeuler ++ ++ Configure rsyslog dump journald log. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^[^#]*imjournal ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +new file mode 100644 +index 0000000..34e511b +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_dump_journald_log/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure rsyslog dump journald log is configured' ++ ++description: |- ++ ++ The system uses journald to collect logs. The logs may be stored on ++ volatile storage devices or on persistent storage devices. If there ++ are problems such as log loss or logs filling up the disk, the logs ++ must be dumped in a timely manner to ensure that the logs are more ++ consistent with the system. Safety. ++ ++

Check whether the relevant fields have been configured in the /etc/rsyslog.conf file:

++ 
$ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
++ ++rationale: |- ++ If there is a volatile storage device for the log, failure to dump ++ the log in time may result in log loss. If there is a persistent ++ storage device, the amount of logs may be very large. If the logs ++ are not dumped in time, the logs may fill up the current partition, ++ causing the risk of other processes or system failures. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml +new file mode 100644 +index 0000000..ec95d20 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_first_logging_change_password/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the account is forced to change the password when logging in for the first time' ++ ++description: |- ++ Passwords that are not set by users themselves, such as passwords reset by ++ administrators, if not modified in a timely manner in the business environment, ++ can easily cause low-cost attacks. Therefore, users are required to forcibly change ++ their passwords when logging in to their accounts for the first time. Except for ++ the root password. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Check whether the configuration of the specified account in the /etc/shadow file is correct: ++ 
    $ grep ^test: /etc/shadow
    ++
    • ++
++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml +new file mode 100644 +index 0000000..e45ebb7 +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_rsyslog_log_rotate/rule.yml +@@ -0,0 +1,48 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that Rsyslog log rotate is configured' ++ ++description: |- ++ rsyslog is responsible for collecting log records from the system into files, and logrotate ++ is responsible for regularly or quantitatively copying and compressing log files to ensure ++ that excessive hard disk resources are not occupied due to excessive log file size, or that ++ the log files are even unmaintainable. ++ ++ By default, openEuler has configured the rsyslog rotate policy in the /etc/logrotate.d/rsyslog ++ file as follows:. ++ ++ rotate log file: ++ /var/log/cron ++ ++ /var/log/maillog ++ ++ /var/log/messages ++ ++ /var/log/secure ++ ++ /var/log/spooler ++ ++ The maximum retention period of log files is 365 days; ++ ++ A maximum of 30 log files can be retained; ++ ++ Log files are retained in a compressed manner; ++ ++ The log file reaches 4MB, perform rotate operation. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Check whether the relevant fields have been configured in the /etc/logrotate.d/rsyslog file: ++ 
    $ cat /etc/logrotate.d/rsyslog | grep -iE "\/var\/log|maxage|\<rotate\>|compress|size"
    ++
    • ++
++ ++rationale: |- ++ If the rotate policy is not configured, the log file will continue to grow, which may ++ eventually lead to the exhaustion of space on the hard disk partition where the log is ++ located, which may affect log recording at best, or may cause the system and business to be ++ unable to continue to execute normally. ++ ++severity: high +diff --git a/linux_os/guide/system/logging/configure_service_logging/rule.yml b/linux_os/guide/system/logging/configure_service_logging/rule.yml +new file mode 100644 +index 0000000..4eccadf +--- /dev/null ++++ b/linux_os/guide/system/logging/configure_service_logging/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Each service logging should be configured correctly' ++ ++description: |- ++ Configure logging so that important system behaviors and security-related information will ++ be recorded using rsyslog. The configuration files /etc/rsyslog.conf and /etc/rsyslog.d/*.conf ++ can specify logging rules and which files will be used to record specific types of logs. ++ ++ If logging is not configured, system behavior cannot be recorded, and problem location and ++ auditing cannot be performed when problems occur. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • For example: Check whether reasonable logging rules are configured in /etc/rsyslog.conf and /etc/rsyslog.d/*.conf: ++ 
    # grep \/var\/log /etc/rsyslog.conf /etc/rsyslog.d/*.conf
    ++
    • ++
++ ++rationale: |- ++ After logging is configured, if the logs are not cleared in time, the logs may fill up the current partition, causing the ++ risk of other processes or system failures. ++ ++severity: low +diff --git a/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml +new file mode 100644 +index 0000000..763f023 +--- /dev/null ++++ b/linux_os/guide/system/logging/diasable_root_accessing_system/rule.yml +@@ -0,0 +1,50 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Prevent root users from accessing the system locally' ++ ++description: |- ++ Root is a super-privileged user in a Linux system and has access to all ++ Linux system resources. If you are allowed to directly use the root account ++ to log in to the Linux system to operate the system, it will bring many ++ potential security risks. In order to avoid the risks caused by this, it ++ should be prohibited to directly use the root account to log in to the ++ operating system, and only use other technologies when necessary. Methods ++ (such as: sudo or su) indirectly use the root account. ++ ++ Since the root account has the highest authority, logging in directly with ++ root has the following risks: ++ ++ High-risk misoperations may directly cause server paralysis, such as accidentally ++ deleting or modifying key system files; ++ ++ If multiple people need root privileges to operate, the root password will be ++ kept by multiple people, which can easily lead to password leakage and increase ++ password maintenance costs. ++ ++ openEuler is not configured by default. If there is no need to log in locally using ++ the root account in actual scenarios, it is recommended to disable local login ++ with the root account. ++ ++

The checking method is as follows:

++
    ++
  • Check whether the account type pam_access.so module is added to the /etc/pam.d/system-auth file, and the module must be loaded before the sufficient control line: ++ 
    $ cat /etc/pam.d/system-auth
    ++
    • ++
  • Then, check whether restrictions on root user login to tty1 are set in the /etc/security/access.conf file: ++ 
    $ grep "^\-:root" /etc/security/access.conf
    ++
    • ++
  • Finally, use the serial port to try to log in to the root account and confirm whether the login is denied. If login is refused, the serial port prints the following information: ++ 
    Authorized users only. All activities may be monitored and reported.
++    localhost login: root
++    Password:
++    
++    Permission denied
    ++
    • ++
++ ++rationale: |- ++ The root account cannot access the system locally. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +index a78cd69..3bd9887 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml +@@ -9,6 +9,7 @@ + multi_platform_ol + multi_platform_rhel + multi_platform_ubuntu ++ multi_platform_openeuler + + File permissions for all syslog log files should be set correctly. + +diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml +new file mode 100644 +index 0000000..63bce75 +--- /dev/null ++++ b/linux_os/guide/system/logging/recorded_authentication_related_event/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Ensure that system authentication related event logs are recorded ++ ++ multi_platform_openeuler ++ ++ Configure the System to Record Authentication-related Event. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/rsyslog.conf ++ ^[^#]*auth ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml +new file mode 100644 +index 0000000..26abd58 +--- /dev/null ++++ b/linux_os/guide/system/logging/recorded_authentication_related_event/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that system authentication related event logs are recorded' ++ ++description: |- ++ ++ Events related to system authentication must be recorded to help ++ analyze user logins, use of root privileges, and monitor suspicious ++ system actions. ++ |- ++ Check whether auth-related fields have been configured in the /etc/rsyslog.conf file: ++

$ grep auth /etc/rsyslog.conf | grep -v "^#"

++ ++rationale: |- ++ Failure to record system authentication-related event logs will ++ result in the inability to analyze suspicious attack actions from ++ the logs, such as login actions performed by attackers trying to ++ guess administrator passwords. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml +index ec1256d..e42fd58 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_tcp/rule.yml +@@ -9,6 +9,7 @@ description: |- + /etc/rsyslog.conf to enable reception of messages over TCP: + 
$ModLoad imtcp
+     $InputTCPServerRun 514
++

It can not be scanned automatically, please check it manually.

+ + rationale: |- + If the system needs to act as a log server, this ensures that it can receive +diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml +index b42ba95..8c08059 100644 +--- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_accept_remote_messages_udp/rule.yml +@@ -9,6 +9,7 @@ description: |- + /etc/rsyslog.conf to enable reception of messages over UDP: + 
$ModLoad imudp
+     $UDPServerRun 514
++

It can not be scanned automatically, please check it manually.

+ + rationale: |- + Many devices, such as switches, routers, and other Unix-like systems, may only support +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml +index 22307d4..c3e2752 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml +@@ -10,6 +10,7 @@ + multi_platform_rhel + multi_platform_ubuntu + multi_platform_wrlinux ++ multi_platform_openeuler + + Syslog logs should be sent to a remote loghost + +diff --git a/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml +new file mode 100644 +index 0000000..7148507 +--- /dev/null ++++ b/linux_os/guide/system/logging/warning_banners_contain_reasonable_information/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure Warning Banners contain reasonable information' ++ ++description: |- ++ Warning Banners include warning information added to the system login ++ interface, which identifies the system's security warnings for all ++ users who log in to the system. Security warnings can include the ++ organization to which the system belongs, monitoring or recording of ++ login behaviors, and unauthorized logins based on business scenarios. Or ++ the legal sanctions that will be imposed upon intrusion. Inappropriate ++ security warning information may increase the risk of system attacks ++ or violate local laws and regulations. ++ ++ Warning Banners should not expose the system version, application server ++ type, functions, etc. to users to prevent attackers from obtaining system ++ information and carrying out attacks. In addition to this, file ownership ++ needs to be configured correctly, otherwise unauthorized users may modify ++ files with incorrect or misleading information. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • You can check it by the following method: ++ 
    Use the cat command to check whether the warning information in the three files /etc/motd, /etc/issue, and /etc/issue.net is reasonable, and whether there is system version, application server type, function and other information;
    ++
    • ++
  • or: ++ 
    Use the ll command to check whether the permissions of the three files /etc/motd, /etc/issue, and /etc/issue.net are 644;
    ++
    • ++
++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..2f405be +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_association_policy_configured_corrently/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables input and output association policies configuration is correct' ++ ++description: |- ++ Although it is possible to configure packet policies for incoming and outgoing servers to the ++ Input and OUTPUT chains by configuring protocols, IP, and ports, in some cases it may be more ++ complex. For example, if the client accesses the server through a certain port, the server may ++ not necessarily return the response packet from the original port, and may use a random source ++ port. In this case, it is difficult to configure accurate policies through the sport parameter. ++ ++ At this point, it is necessary to consider using association links to configure the strategy. ++ If an outgoing message belongs to an existing network link, it will be directly released; If a ++ received message belongs to an existing network link, it is also directly released. Because ++ these existing links must have been filtered and checked by other policies, otherwise they cannot ++ be established. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the input and output chains are configured with associated policies.

++
    ++
  • You can use below cli command to check if the input and output chains of IPv4 are configured with associated policies: ++ 
    $ iptables -L
    ++
    • ++
  • You can use below cli command to check if the input and output chains of IPv6 are configured with associated policies: ++ 
    $ ip6tables -L
    ++
    • ++
++ ++rationale: |- ++ If the policy is not configured through associated links, it is necessary to analyze all possible ++ link situations and configure corresponding policies. If the configuration is too loose, it may ++ cause security risks, and if the configuration is too strict, it may cause business interruption. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..28f7f5d +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_input_policy_configured_corrently/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables input policy configuration is correct' ++ ++description: |- ++ The function of the Input chain is to filter packets received from external sources. Any ++ externally provided service requires configuring the corresponding Input policy and opening ++ the relevant port, so that external clients can access the service through that port. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the policy configured for the input chain meets business needs.

++
    ++
  • You can use below cli command to check the input chain of IPv4: ++ 
    $ iptables -L INPUT -v -n
    ++
    • ++
  • Or check the input chain of IPv6: ++ 
    $ ip6tables -L INPUT -v -n
    ++
    • ++
++ ++rationale: |- ++ If not configured, all external attempts to access related services will be discarded due to ++ the default policy configuration being DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..ddee908 +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_loopback_policy_configured_corrently/rule.yml +@@ -0,0 +1,36 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables loopback policy configuration is correct' ++ ++description: |- ++ The loopback address is a special address on the server, represented by 127.0.0.0/8,which is ++ not related to the network card and is mainly used for communication between local processes. ++ Messages with a source address of 127.0.0.0/8 should not be received from the network card, ++ and such messages should be discarded. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the loopback address policy has been correctly configured.

++
    ++
  • You can use below cli command to check the input chain of IPv4: ++ 
    $ iptables -L INPUT -v -n
    ++
    • ++
  • Or check the output chain of IPv4: ++ 
    $ iptables -L OUTPUT -v -n
    ++
    • ++
  • Or check the input chain of IPv6: ++ 
    $ ip6tables -L INPUT -v -n
    ++
    • ++
  • Or check the output chain of IPv6: ++ 
    $ ip6tables -L OUTPUT -v -n
    ++
    • ++
++ ++rationale: |- ++ If the loopback address policy is not set correctly, it may cause communication failure between ++ local processes or receive spoofing messages from the network card. The server needs to set ++ policies that allow receiving and processing loopback address messages from the lo interface, ++ but reject messages received from the network card. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..ea672eb +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_output_policy_configured_corrently/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables output policy configuration is correct' ++ ++description: |- ++ There are two main situations for server outgoing messages: one is when the host process ++ actively connects to an external server, such as HTTP access, or sends data to a log server, ++ etc.; the other is when the host process accesses the local service externally and the local ++ machine responds to the message. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the policy configured for the output chain meets business needs.

++
    ++
  • You can use below cli command to check the output chain of IPv4: ++ 
    $ iptables -L OUTPUT -v -n
    ++
    • ++
  • Or check the input chain of IPv6: ++ 
    $ ip6tables -L OUTPUT -v -n
    ++
    • ++
++ ++rationale: |- ++ If the OUTPUT policy is not configured, all outgoing messages from the server will be discarded ++ due to the default policy being DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/configure_ipatbles_rule_refuse/rule.yml b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/configure_ipatbles_rule_refuse/rule.yml +new file mode 100644 +index 0000000..8cf8a56 +--- /dev/null ++++ b/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/configure_ipatbles_rule_refuse/rule.yml +@@ -0,0 +1,27 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the iptables default deny policy should be configured correctly' ++ ++description: |- ++ The function of the Input chain is to filter packets received from external sources. Any ++ externally provided service requires configuring the corresponding Input policy and opening ++ the relevant port, so that external clients can access the service through that port. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the policy configured for the reject chain meets business needs.

++
    ++
  • You can use below cli command to check the input chain of IPv4: ++ 
    $ iptables -L | grep -E "INPUT|OUTPUT|FORWARD"
    ++
    • ++
  • Or check the input chain of IPv6: ++ 
    $ ip6tables -L | grep -E "INPUT|OUTPUT|FORWARD"
    ++
    • ++
++ ++rationale: |- ++ If not configured, all external attempts to access related services will be discarded due to ++ the default policy configuration being DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +index bbea345..19cc6f5 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4 ++prodtype: fedora,ocp4,rhel6,rhel7,rhel8,rhv4,openeuler2203 + + title: 'Deactivate Wireless Network Interfaces' + +diff --git a/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml +new file mode 100644 +index 0000000..c918fd8 +--- /dev/null ++++ b/linux_os/guide/system/network/network_interface_binding_corrently/rule.yml +@@ -0,0 +1,26 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure the network interface is bound to the correct area' ++ ++description: |- ++ Different firewall regions can develop different filtering strategies. If the server network ++ is complex and has multiple interfaces, and different interfaces undertake different business ++ functions, it is recommended to configure the interfaces to different regions and develop ++ different firewall strategies. For example, the external network business interface does not ++ allow SSH access, while the internal network management interface can open SSH access. ++ ++

It can not be scanned automatically, please check it manually.

++

Check the interface configuration of each region:

++
    ++ 
    $ firewall-cmd --get-active-zones
    ++
++ ++rationale: |- ++ If all interfaces are configured in one area, firewall policies are not conducive to configuring ++ different interfaces differently, increasing management complexity, and reducing the filtering ++ efficiency of firewall security protection. Due to configuration issues, messages that should ++ not be received may not be rejected or discarded. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/group.yml b/linux_os/guide/system/network/network_nftables/group.yml +new file mode 100644 +index 0000000..68ecddd +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/group.yml +@@ -0,0 +1,12 @@ ++documentation_complete: true ++ ++title: 'nftables' ++ ++description: |- ++ nftables is a subsystem of the Linux kernel that provides filtering ++ and classification of network packets. nftables replaces the iptables ++ part of Netfilter. Compared with iptables, nftable is easier to extend ++ to new protocols, and nftables will replace iptables in the future. ++ In addition, nftables is different from firewalld and iptables. The ++ operating system does not configure any policies by default and ++ requires manual configuration by the administrator. +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..fb45bfe +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_association_policy_configured_corrently/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that the nftables input and output association policies configuration is correct' ++ ++description: |- ++ Although it is possible to configure packet policies for incoming and outgoing servers to the ++ input and output chains by configuring protocols, IPs, and ports, in some cases it may be more ++ complex. For example, if the client accesses the server through a certain port, the server may ++ not necessarily return the response message from the original port, and may use a random source ++ port. In this case, it is difficult to configure accurate policies through the sport parameter. ++ ++

At this point, it is necessary to consider using association links to configure the strategy. ++ If an outgoing message belongs to an existing network link, it will be directly released; If a ++ received message belongs to an existing network link, it is also directly released. Because ++ these existing links must have been filtered and checked by other policies, otherwise they ++ cannot be established.

++

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check if the input and output chains are configured with associated policies: ++ 
    $ nft list ruleset
    ++
    • ++
++ ++rationale: |- ++ If the policy is not configured through associated links, it is necessary to analyze all possible ++ link situations and configure corresponding policies. If the configuration is too loose, it may ++ cause security risks, and if the configuration is too strict, it may cause business interruption. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml +new file mode 100644 +index 0000000..804c3b5 +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_configure_default_deny_policy/rule.yml +@@ -0,0 +1,29 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables default deny policy' ++ ++description: |- ++ From a security perspective, the nftables basic chain is similar to ++ iptables. (Input, output, forward) you need to configure the rejection ++ policy for all packets, and then add the allow policy to the basic ++ chain to open related services and ports. ++ ++

If the basic chain is not configured, or the hook rules of the basic ++ chain are not specified, the packet will not be captured by nftables, ++ and filtering will not be possible.

++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check whether the DROP policy of input, output and forward is configured: ++ 
    $ nft list ruleset
    ++
    • ++
++ ++rationale: |- ++ If the basic chain is not configured with a DROP or REJECT policy, the ++ packets will be ACCEPT by default, which may easily lead to security ++ risks due to omission of the rejection policy. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..a4c1563 +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_input_policy_configured_corrently/rule.yml +@@ -0,0 +1,24 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables input strategy' ++ ++description: |- ++ The function of the input chain is to filter messages received from the ++ outside. Any externally provided service needs to configure the ++ corresponding input policy and open the relevant port so that external ++ clients can access the service through the port. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check whether the input chain configuration strategy meets business needs: ++ 
    $ nft list chain inet test input
    ++
    • ++
++ ++rationale: |- ++ If not configured, since the default policy is configured as DROP, all ++ external packets trying to access related services will be dropped. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..b3ca58a +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_loopback_policy_configured_corrently/rule.yml +@@ -0,0 +1,28 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables loopback policy' ++ ++description: |- ++ The loopback address is a special address on the server, represented by 127.0.0.0/8. It ++ has nothing to do with the network card. It is mainly used for inter-process communication ++ on this machine. Packets with the source address 127.0.0.0/8 should not be received from ++ the network card. Such messages should be discarded. ++ ++

The server needs to set a policy to allow receiving and processing the loopback address ++ packets of the lo interface, but reject the packets received from the network card.

++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check whether the loopback address policy has been configured: ++ 
    $ nft list ruleset
    ++
    • ++
++ ++rationale: |- ++ If the loopback address policy is ++ set incorrectly, inter-process communication on the local machine may fail, or spoofed ++ packets may be received from the network card. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml +new file mode 100644 +index 0000000..6c4cdc6 +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/nftables_output_policy_configured_corrently/rule.yml +@@ -0,0 +1,25 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Configure nftables output strategy' ++ ++description: |- ++ There are two main situations when the server sends outbound messages. One ++ is when the host process actively connects to an external server, such as ++ http access, or sends outgoing data to a log server, etc. The other is when ++ the host process externally accesses local services and the local machine ++ responds arts. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • You can use below cli command to check whether the policy configured in the output chain meets business needs: ++ 
    $ nft list chain inet test output
    ++
    • ++
++ ++rationale: |- ++ If no output policy is configured, all outgoing packets from the server will ++ be discarded because the default policy is DROP. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml +new file mode 100644 +index 0000000..9f37bdf +--- /dev/null ++++ b/linux_os/guide/system/network/network_nftables/service_nftables_enabled/rule.yml +@@ -0,0 +1,22 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Verify nftables Enabled' ++ ++description: '{{{ describe_service_enable(service="nftables") }}}' ++ ++rationale: |- ++ If multiple firewall services are enabled, business ++ interruption may occur due to inconsistent policy configurations. ++ ++severity: low ++ ++ocil: '{{{ ocil_service_enabled(service="nftables") }}}' ++ ++platform: machine ++ ++template: ++ name: service_enabled ++ vars: ++ servicename: nftables +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml +new file mode 100644 +index 0000000..175fa9c +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/define_ld_lib_path_correctly/rule.yml +@@ -0,0 +1,41 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure the LD_LIBRARY_PATH variable is defined correctly' ++ ++description: |- ++ LD_LIBRARY_PATH is a Linux environment variable. When a program loads a ++ dynamic link library, it will first obtain it from the path specified by ++ this environment variable. Normally, this environment variable should ++ not be set. If it is maliciously set to an incorrect value, the program ++ may be linked to an incorrect dynamic library when running, resulting in ++ security risks. Note: The configuration in /etc/ld.so.conf.d will also ++ affect dynamic library loading, so you need to ensure correct configuration. ++ ++ openEuler does not set this variable by default. According to the actual ++ scenario, if LD_LIBRARY_PATH must be set, you need to ensure that the ++ value is correct in all user contexts. ++ ++

It can not be scanned automatically, please check it manually.

++

There are multiple configuration files that can permanently set the LD_LIBRARY_PATH ++ value, which need to be investigated. These files include: /etc/profile, ~/.bashrc, ~/.bash_profile. ++ The latter two files are files in the user's home directory. Each user Yes, be ++ sure not to miss it during inspection.

++
    ++
  • First, Use the grep command to check. In the example, it is found that the LD_LIBRARY_PATH value is set in the /etc/profile file: ++ 
    ++    $ grep "LD_LIBRARY_PATH" /etc/profile ~/.bashrc ~/.bash_profile
++
    ++
    • ++
  • Check if LD_LIBRARY_PATH value exists in current user context: ++ 
    ++    $ echo $LD_LIBRARY_PATH
++
    ++
    • ++
++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml +new file mode 100644 +index 0000000..0d9cfeb +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/define_path_strictly/rule.yml +@@ -0,0 +1,44 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure the user PATH variable is strictly defined' ++ ++description: |- ++ The PATH variable under Linux defines the search path for executable files ++ in the current user context. For example, if the user uses the ls command ++ in any directory, the system will search for the ls command in the directory ++ specified by the PATH variable and execute it after finding it. The PATH ++ variable in all user contexts cannot contain the current directory "." .The ++ directory must be a path that actually exists in the file system and meets ++ the design expectations of the system. The correct PATH value can effectively ++ prevent system commands from being replaced by malicious instructions and ++ ensure that system commands can be executed safely. ++ ++ So the PATH variable should be defined to the correct value, and the openEuler ++ system default setting is: ++ ++ /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin ++ ++ PATH can be modified according to the actual scenario, but be sure to make sure ++ it is correct. ++ ++

It can not be scanned automatically, please check it manually.

++

Use the echo command to print out the value of PATH in the current user context and check whether it is correct.

++
    ++
  • The PATH value in the openEuler root user context is as follows: ++ 
    ++    $ echo $PATH
++
    ++
    • ++
  • The PATH value in the openEuler ordinary user test context is as follows: ++ 
    ++    $ echo $PATH
++
    ++
    • ++
++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml +new file mode 100644 +index 0000000..a2c3208 +--- /dev/null ++++ b/linux_os/guide/system/permissions/files/no_files_globally_writable_files/rule.yml +@@ -0,0 +1,34 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Disallow globally writable files' ++ ++description: |- ++ Globally writable means that all users can write to the file, but usually this ++ permission is not necessary. If a file is unreasonably set with globally writable ++ permissions, it can easily be tampered with by attackers, leading to security risks. ++ Therefore, if the file must have globally writable permissions, the security risks ++ need to be analyzed based on actual scenarios to ensure that attackers cannot use ++ this file to carry out attacks. ++ ++ You can search for globally writable files in the root directory. The exceptions ++ are: There are a large number of globally writable files in the two system directories ++ "/sys" and "/proc" when Linux is running, so these two should be excluded when checking ++ directory to avoid confusion. ++ ++

It can not be scanned automatically, please check it manually.

++

Check globally writable files(directories "/sys" and "/proc" have been excluded).

++
    ++
  • You can use below command to check : ++ 
    $ find / -path /proc -prune -o -path /sys -prune -o -type f -perm -0002 -exec ls -lg {} \;
    ++
    • ++
  • or: ++ 
    $ find / -xdev -type f -perm -0002 -exec ls -lg {} \;
    ++
    • ++
++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml +new file mode 100644 +index 0000000..9a3535e +--- /dev/null ++++ b/linux_os/guide/system/permissions/mounting/removed_unnecessary_file_mount_support/rule.yml +@@ -0,0 +1,38 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Ensure that unneeded file system mount is removed' ++ ++description: |- ++ The Linux system supports a variety of file systems, which are ++ loaded into the kernel through ko mode. As a general operating ++ system platform, openEuler will provide various file systems ko, ++ which are stored in the /lib/modules/(kernel version)/kernel/fs/ ++ directory and can be loaded through the insmod/modprobe command. ++ ++

Users should determine which file systems do not need to be supported ++ based on actual scenarios, and prohibit these file systems from being ++ mounted through configuration. These file systems usually include:

++

cramfs、freevxfs、jffs2、hfs、hfsplus、squashfs、udf、vfat、fat、msdos、nfs、ceph、fuse、overlay、xfs

++

It can not be scanned automatically, please check it manually.

++

Use the following command to check the file system mounting status, such as cramfs.

++
    ++
  • First, Check the directory where "ko" is located: ++ 
    ++    $ modprobe -n -v cramfs | grep -E "(cramfs|install)"
++
    ++
    • ++
  • If there is no echo from the above command, execute the following command. If there is output, it means that the file has been mounted by the system: ++ 
    ++    $ lsmod | grep cramfs
++
    ++
    • ++
++ ++rationale: |- ++ Disabling mount support for unnecessary file systems can reduce ++ the attack surface and prevent attackers from attacking the system ++ by exploiting vulnerabilities in some uncommon file systems. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml +new file mode 100644 +index 0000000..545a238 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/partitions_manage_hard_drive_data/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Hard drive data should be managed in partitions' ++ ++description: |- ++ When installing the operating system, the operating system data and business data ++ partitions should be managed according to the characteristics of the actual scenario ++ to avoid placing all data on one hard disk or partition. Proper planning of hard disk ++ partitions can avoid or reduce the following risks: ++ ++ The log file is too large, causing the business or system data disk to become full; ++ The home directory of ordinary accounts is too large, causing the system or business disk to become full; ++ The system partition is not independent, causing the basic service of the operating system to fail when the disk is full, causing a full-scale DOS attack; ++ It is not conducive to minimizing permissions and encrypting data disks; ++ It is not conducive to system or data recovery after the disk is damaged. ++ ++ As a general operating system, openEuler installs separate partitions "/boot, /tmp, ++ /home, /" by default. It is recommended to determine the partition mounting and size ++ of other directories based on the actual scenario. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Check the sudo configuration file /etc/sudoers: ++ 
    $ df | grep -iE "/boot|/tmp|/home|/var|/usr"
    ++
    • ++
++ ++rationale: |- ++ none. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml +new file mode 100644 +index 0000000..c3008b4 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_nodev_mode/rule.yml +@@ -0,0 +1,47 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Mounting in nodev mode does not require mounting the device' ++ ++description: |- ++ nodev means that device files are not allowed to be mounted, which is used ++ to reduce the attack surface and increase security. When the directory is ++ mounted, if the nodev option is set, all block devices, character devices ++ and other device files in the directory will be parsed into ordinary files ++ and cannot be operated on device files. If nodev is not set when mounting, ++ it will lead to security risks. For example, an attacker creates a file system ++ on the USB flash drive and creates a block device file in it (his own USB flash ++ drive, with corresponding permissions), and this block The device actually ++ points to the server hard disk or partition such as /dev/sda. If an attacker ++ has the opportunity to insert a USB flash drive into the server and the server ++ loads the USB flash drive, the attacker can access the corresponding file through ++ this block device file. Hard drive data. If the U disk in the above case is changed ++ to another hard disk or partition, a similar problem will exist. As long as there ++ is a maliciously constructed device file on the hard disk or partition, an attack ++ can be formed. ++ ++

The following directories are mounted by nodev by default in the openEuler system:

++

/sys、/proc、/sys/kernel/security、/dev/shm、/run、/sys/fs/cgroup、/sys/fs/cgroup/systemd、 ++ /sys/fs/pstore、/sys/fs/bpf、/sys/fs/cgroup/files、/sys/fs/cgroup/net_cls,net_prio、 ++ /sys/fs/cgroup/devices、/sys/fs/cgroup/freezer、/sys/fs/cgroup/cpu,cpuacct、/sys/fs/cgroup/perf_event、 ++ /sys/fs/cgroup/pids、/sys/fs/cgroup/hugetlb、/sys/fs/cgroup/memory、/sys/fs/cgroup/blkio、 ++ /sys/fs/cgroup/cpuset、/sys/fs/cgroup/rdma、/sys/kernel/config、/sys/kernel/debug、/dev/mqueue、 ++ /tmp、/run/user/0

++

penEuler has the following directories (some directories vary depending on hard disk partitions ++ and deployment platforms). These directories are not mounted by nodev by default:

++

/dev、/dev/pts、/、/sys/fs/selinux、/proc/sys/fs/binfmt_misc、/dev/hugepages、/boot、 ++ /var/lib/nfs/rpc_pipefs、/boot/efi、/home

++

In actual scenarios, based on business needs, the nodev method is used to mount partitions ++ that do not require device mounting.

++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Use the mount command to check whether there is a mount point that needs to be set to nodev but has not been set. Analyze the returned data to confirm whether the mount point for which nodev is not set is correct. ++ 
    $ mount | grep -v "nodev" | awk -F " " '{print $3}'
    ++
    • ++
++rationale: |- ++ ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml +new file mode 100644 +index 0000000..c7900b9 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_noexec_mode/rule.yml +@@ -0,0 +1,23 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Mount a partition without executable files in noexec mode' ++ ++description: |- ++ The data disk is only used to save data during system operation. There ++ is no need to execute relevant commands on the data disk. In this case, ++ the hard disk or partition must be mounted in noexec mode to improve security ++ and reduce the attack surface. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Use the mount command to check whether the specified mount point directory is mounted in noexec mode: ++ 
    $ mount | grep "\/root\/noexec" | grep "noexec"
    ++
    • ++
++ ++rationale: |- ++ ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml b/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml +new file mode 100644 +index 0000000..16f795d +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/partitions_mounted_nosuid_mode/rule.yml +@@ -0,0 +1,31 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure partitions that do not require SUID/SGID are mounted in nosuid mode' ++ ++description: |- ++ After the SUID bit is set on an executable file, even if the user executing the file ++ is not the owner of the file, the process will be temporarily granted the permissions ++ of the file owner during execution. For example, the ordinary user test executes a ++ program with permissions 755 and owner root. If the program does not set the SUID bit, ++ the process only has the permissions of the test user; if the SUID is set, the process ++ has root permissions during execution. . SGID has a similar function, but it only has ++ the permissions of the group to which the file belongs. For partitions that do not ++ need SUID/SGID, use the nosuid method to mount them. This can invalidate the S bit of ++ files with SUID/SGID in the partition, prevent privilege escalation through the ++ executable files of the partition, and strengthen the security of the partition. ++ ++

Users need to plan each mounted hard drive and partition and set nosuid mounting items ++ based on actual scenarios.

++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Check whether the file system is mounted in nosuid mode through the mount command: ++ 
    $ mount | grep -v "nosuid"
    ++
    • ++
++ ++rationale: |- ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml +new file mode 100644 +index 0000000..848fed1 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/partitoin_mounted_noexec_or_nodev/rule.yml +@@ -0,0 +1,29 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure the removable partition is mounted in noexec/nodev mode' ++ ++description: |- ++ Removable devices themselves are uncertain, and their origin, past usage, ++ and transportation processes cannot guarantee absolute safety. Therefore, ++ removable devices are often the main host devices for virus transmission. ++ Therefore, for removable devices, it is required to mount them in noexec ++ or nodev mode to improve security and reduce the attack surface. ++ ++

noexec can prevent files on removable devices from being directly executed, ++ such as virus files, attack scripts, etc;

++

nodev prevents incorrect device files on removable devices from being linked ++ to real devices on the server, leading to attacks;

++

Common removable devices such as: CD/DVD/USB, etc.

++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Use the mount command to check whether the specified mount point directory is mounted in noexec or nodev mode: ++ 
    $ mount | grep "\/dev\/vda"
    ++
    • ++
++ ++rationale: |- ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml +new file mode 100644 +index 0000000..b63d688 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/read_only_partitions_no_modified/rule.yml +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Partitions that do not need to be modified are mounted read-only.' ++ ++description: |- ++ Mounting file systems that do not require data modification in read-only mode can ++ avoid unintentional or malicious data tampering and reduce the attack surface. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Use the mount command to check whether the mounted file system meets the requirements: ++ 
    $ mount | grep "/root/readonly" | grep "\<ro\>"
    ++
    • ++
++ ++rationale: |- ++ ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +index cd07fd0..cd68dad 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8 ++prodtype: fedora,ocp4,ol7,ol8,rhel6,rhel7,rhel8,openeuler2203 + + title: 'Restrict usage of ptrace to descendant processes' + +@@ -33,4 +33,5 @@ template: + vars: + sysctlvar: kernel.yama.ptrace_scope + sysctlval: '1' ++ sysctlval@openeuler2203: '0' + datatype: int +diff --git a/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml +new file mode 100644 +index 0000000..dc1881b +--- /dev/null ++++ b/linux_os/guide/system/selinux/disabled_unconfined_service_t_programs/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Avoid using programms labeled unconfined_service_t' ++ ++description: |- ++ The purpose of SELinux setting the unconfined_service_t label ++ is to enable some third-party service processes that are not ++ configured with SELinux policies to run unfettered. By default, ++ when systemd runs a third-party application with the label bin_t ++ or usr_t (generally located in /usr/bin, /opt, etc. directories), ++ the generated process label is unconfined_service_t. ++ ++ The difference from other high-privilege labels (such as unconfined_t, ++ initrc_t, etc.) is that unconfined_service_t has very few domain ++ conversion rules, which means that even if the process runs applications ++ that have been configured with SELinux policies, the label of the ++ new process will still be unconfined_service_t. The SELinux policy ++ configured for the process will not take effect. If it is attacked, ++ it will have a greater impact on the system. ++ ++

It can not be scanned automatically, please check it manually.

++
    ++
  • Run the following command. If the return value is empty, it means that there is no process with the label unconfined_service_t in the current system: ++ 
    $ ps -eZ | grep unconfined_service_t
    ++
    • ++
++ ++rationale: |- ++ Programs labeled unconfined_service_t are restricted from running. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/enabled_seccomp/rule.yml b/linux_os/guide/system/software/enabled_seccomp/rule.yml +new file mode 100644 +index 0000000..82d0734 +--- /dev/null ++++ b/linux_os/guide/system/software/enabled_seccomp/rule.yml +@@ -0,0 +1,47 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'seccomp should be enabled' ++ ++description: |- ++ seccomp (full name: secure computing mode), when it was first introduced into the ++ Linux kernel, limited the system calls available to the process to four types: read, ++ write, _exit, sigreturn. In the original whitelisting method, in addition to the ++ four system calls allowed by the open file descriptor, if other system calls are ++ attempted, the kernel will use SIGKILL or SIGSYS to terminate the process. ++ ++ The whitelist method is too restrictive and has little practical effect. In practical ++ applications, more precise restrictions are needed. In order to solve this problem, ++ BPF was introduced. The combination of seccomp and BPF rules allows users to filter ++ system calls using configurable policies. The policy is implemented using Berkeley ++ Packet Filter rules, which can filter any system calls and their parameters. ++ ++ The openEuler kernel already provides seccomp function support by default, and also ++ provides the libseccomp peripheral package to help user-mode programs conveniently ++ set seccomp rules. ++ ++

It can not be scanned automatically, please check it manually.

++

Check whether the target process has seccomp mode enabled. Here we take checking the test_seccomp process as an example.

++
    ++
  • First, determine process number: ++ 
    ++    $ ps -aux | grep "test_seccomp"
++
    ++
    • ++
  • Then,query whether the seccomp function is enabled in the process based on the obtained pid number: ++ 
    ++    $ cat /proc/[pid]/status | grep "Seccomp"
++
    ++
    • ++
++rationale: |- ++ seccomp cannot set the opening, closing or rules globally, but is specific to each ++ process. That is, the process can set and enable seccomp by itself, which affects ++ itself and all child threads, but does not affect other processes. ++ ++ If seccomp is enabled in a process, there will be a performance loss when making ++ system calls. Users need to determine whether the performance loss is acceptable ++ based on actual business scenarios. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +index 787d897..6d9c09d 100644 +--- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ocp4,ol8,rhel8 ++prodtype: fedora,ocp4,ol8,rhel8,openeuler2203 + + title: 'Configure System Cryptography Policy' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +index f9835af..4fb6a78 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml +@@ -7,6 +7,7 @@ + multi_platform_fedora + multi_platform_ol + multi_platform_rhel ++ multi_platform_openeuler + + The aide database must be initialized. + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml +new file mode 100644 +index 0000000..bd51174 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/enable_aide_detection/rule.yml +@@ -0,0 +1,40 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'aide intrusion detection should be enabled' ++ ++description: |- ++ aide (advanced intrusion detection environment) is an intrusion detection tool that ++ can be used to check the integrity of files and directories in the system and identify ++ files or directories that have been maliciously tampered with. The principle of the ++ integrity check is to first construct a baseline database, which contains some attributes ++ of the file or directory such as permissions, users, etc. When performing the integrity ++ check, the current system status is compared with the baseline database to obtain the ++ check results. Finally, the file or directory changes of the current system are reported, ++ that is, the inspection report. ++ ++ Enabling aide intrusion detection can effectively identify malicious tampering with files ++ or directories, thereby improving system integrity and security. The files or directories ++ that need to be checked can be configured as needed, which is highly flexible. Users only ++ need to query the check report to determine whether there is malicious tampering. ++ ++

It can not be scanned automatically, please check it manually.

++

Check if the loopback address policy has been correctly configured.

++
    ++
  • Check if aide package is installed: ++ 
    $ aide --version
    ++
    • ++
  • Then,check whether the files or directories that need to be monitored have been configured in the /etc/aide.conf file. The example only shows the /boot directory in the default configuration monitoring directory: ++ 
    $ grep boot /etc/aide.conf | grep NORMAL
    ++
    • ++
  • Finally,check if the baseline database exists: ++ 
    $ ls /var/lib/aide/aide.db.gz
    ++
    • ++
++rationale: |- ++ The more files that need to be checked, the longer the checking process will take. If users ++ enable aide, they should configure the inspection strategy appropriately based on their own ++ business scenarios. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml +new file mode 100644 +index 0000000..8437388 +--- /dev/null ++++ b/linux_os/guide/system/software/integrity/software-integrity/ima_verification/rule.yml +@@ -0,0 +1,55 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'IMA metrics should be enabled' ++ ++description: |- ++ IMA (Integrity Measurement Architecture) is an integrity protection function provided ++ by the kernel. When IMA is turned on, it can provide integrity measurements for ++ important files in the system based on user-defined policies. The measurement results ++ can be used locally and remotely. Proof of integrity. ++ ++ When the IMA measurement function is not enabled in the system, summary information ++ of key files cannot be recorded in real time, and tampering with file contents or ++ attributes cannot be identified. Functions such as local attestation and remote ++ attestation that protect system integrity rely on the summary value provided by IMA ++ metrics, so they cannot be used, or the integrity protection is incomplete. ++ ++ IMA global policy configuration is related to the specific environment. Normally, ++ integrity protection is only targeted at immutable files (such as executable files, ++ dynamic libraries, etc.). If the policy is improperly configured, it may lead to ++ excessive performance and memory overhead. It is recommended that users use their ++ own The situation determines whether to enable IMA and configure the correct policy. ++ ++ Note: Since IMA is only the measurement part of the global integrity protection ++ mechanism, complete use requires TPM 2.0 and remote attestation services. This ++ specification only explains and recommends the measurement part of IMA. If the ++ system does not integrate TPM 2.0 and remote attestation services, the IMA measurement ++ function should not be enabled. ++ ++ IMA measurement does not support container environments and virtual machine ++ environments, requires UEFI startup, and does not support Legacy mode. ++ ++

Use the following command to check whether the current system has IMA measurement enabled.

++
    ++
  • First, confirm whether integrity=1 is configured in the current kernel startup parameters: ++ 
    $ cat /proc/cmdline | grep integrity=1
    ++
    • ++
  • Then confirming that IMA is turned on, check the number of measurement records stored in the /sys/kernel/security/ima/runtime_measurement_count file: ++ 
    $ cat /sys/kernel/security/ima/runtime_measurements_count
    ++
    • ++
++ ++rationale: |- ++ Turning on IMA metrics will cause a slight increase in system startup time and file ++ access time. ++ If the policy is improperly configured (such as measuring real-time changing log files, ++ temporary files, etc.), the measurement log may grow too fast and occupy too much system ++ memory, and the memory occupied by the measurement log will not be released before the ++ next restart of the system. , thus affecting the normal operation of the business. In ++ addition, because the measured files are constantly changing, the measurement value changes, ++ and the remote certification baseline value cannot be updated synchronously, causing the ++ remote certification to fail and losing the meaning of integrity protection. ++ ++severity: low +\ No newline at end of file +diff --git a/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml +new file mode 100644 +index 0000000..cd59e60 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_disable_low_privileged_configure/rule.yml +@@ -0,0 +1,33 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Make sure sudoers cannot configure scripts writable by low-privileged users' ++ ++description: |- ++ sudo can enable the set ordinary user to execute certain specific programs with root privileges, ++ and the corresponding configuration file is /etc/sudoers. Administrator users can configure ++ corresponding rules to make certain scripts or binary files run with root permissions. Therefore, ++ the scripts configured by sudo should only be writable by root. Scripts that can be written by ++ low-privilege users cannot be configured. If low-privilege users are configured, they can be written ++ by root. script, the user can perform privilege escalation operations by modifying the script. ++ ++

It can not be scanned automatically, please check it manually.

++

Check related configuration.

++
    ++
  • First, check the sudo configuration file /etc/sudoers: ++ 
    ++    $ grep "(root)" /etc/sudoers
++
    ++
    • ++
  • Then,check whether privileged programs are writable by low-privileged users: ++ 
    ++    $ ll /bin/xxx.sh
++
    ++
    • ++
++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml +new file mode 100644 +index 0000000..ea4e9cf +--- /dev/null ++++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/oval/shared.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Disable use of SysRq key ++ ++ multi_platform_openeuler ++ ++ Disable SysRq. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /proc/sys/kernel/sysrq ++ 0 ++ 1 ++ ++ +\ No newline at end of file +diff --git a/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml +new file mode 100644 +index 0000000..75f55a9 +--- /dev/null ++++ b/linux_os/guide/system/software/system-tools/disabled_SysRq/rule.yml +@@ -0,0 +1,30 @@ ++ ++prodtype: openeuler2203 ++ ++title: 'Disable use of SysRq key' ++ ++description: |- ++ ++ SysRq allows users with physical access to access dangerous system-level commands ++ in the computer, and the use of SysRq functions needs to be restricted. ++ ++ If the SysRq key is not disabled, the SysRq call can be triggered through the ++ keyboard, which may cause commands to be sent directly to the kernel, affecting ++ the system. ++ ++ openEuler prohibits the use of SysRq keys by default. ++ ++

Check whether the system prohibits the use of the SysRq key:

++
    ++
  • First, check the current system kernel parameter settings. ++ 
    $ cat /proc/sys/kernel/sysrq
    ++
    • ++
  • Secondly, execute the following command. If the return value is not 0, it means the configuration is incorrect. ++ 
    $ grep "^kernel.sysrq" /etc/sysctl.conf /etc/sysctl.d/*
    ++
    • ++
++ ++rationale: |- ++ SysRq related commands cannot be used in the system. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml +new file mode 100644 +index 0000000..1b92235 +--- /dev/null ++++ b/linux_os/guide/system/software/uninstall_debugging_tools/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'uninstall debugging tools' ++ ++description: |- ++ If the business environment contains debugging scripts and tools, they can ++ easily be exploited and attacked by attackers. Therefore, it is strictly ++ prohibited to install various debugging tools and files in the production ++ environment, including but not limited to: code debugging tools, privilege ++ escalation commands, scripts, and tools used for debugging functions, certificates, ++ and keys used in the debugging phase. Perf tools, point management and piling ++ tools for performance testing, attack scripts and tool scripts for verifying ++ security issues such as CVE, etc. Common open source third-party debugging tools ++ include: strace, gdb, readelf, perf, etc. ++ ++

It can not be scanned automatically, please check it manually.

++

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

++
    ++
  • First, check whether the relevant rpm package is installed: ++ 
    ++    $ rpm -qa | grep -iE "^strace-|^gdb-|^perf-|^binutils-extra|^appict|^kmem_analyzer_tools"
++
    ++
    • ++
  • Then,check whether the relevant commands are installed: ++ 
    ++    $ find / -type f \( -name "gdb" -o -name  "perf" -o -name "strace" -o -name "readelf" \)
++
    ++
    • ++
++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml +new file mode 100644 +index 0000000..69b0c59 +--- /dev/null ++++ b/linux_os/guide/system/software/uninstall_development_and_compliation_tools/rule.yml +@@ -0,0 +1,39 @@ ++documentation_complete: true ++ ++prodtype: openeuler2203 ++ ++title: 'Uninstall development and compilation tools' ++ ++description: |- ++ If the business environment contains compilation tools, they can ++ easily be used by attackers to edit, tamper with, and reverse analyze ++ key files in the environment to carry out attacks. Therefore, it is ++ strictly prohibited to install various compilation, decompilation, ++ and binary analysis tools in the production environment, including ++ but not limited to: compilation tools, decompilation tools, compilation ++ environments, etc. Common third-party development and compilation tools ++ include: gcc, cpp, mcpp, flex, cmake, make, rpm-build, ld, ar, etc. ++ ++ If the business environment relies on interpreters such as python, lua, ++ and perl during deployment or operation, the interpreter running ++ environment can be retained. ++ ++

It can not be scanned automatically, please check it manually.

++

Use keyword scanning to determine whether debugging tools exist in the business environment or mirror environment.

++
    ++
  • First, check whether the relevant rpm package is installed: ++ 
    ++    $ rpm -qa | grep -iE "^(gcc-|cpp-|mcpp-|flex-|cmake-|make-|rpm-build-|binutils-extra|elfutils-extra|llvm-|rpcgen-|gcc-c++)"; rpm -qa libtool
++
    ++
    • ++
  • Then,check whether the relevant commands are installed: ++ 
    ++    $ files=`find / -type f \( -name "gcc" -o -name "g++" -o -name "c++" -o -name  "cpp" -o -name "mcpp" -o -name "flex" -o -name "lex" -o -name  "cmake" -o -name "make" -o -name "rpmbuild" -o  -name "ld" -o -name "ar" -o -name "llc" -o -name "rpcgen" -o -name "libtool" -o -name "javac" -o -name "objdump" -o -name "eu-objdump" -o -name "eu-readelf" -o -name "nm" \) 2> /dev/null`; for f in $files; do if [ -n "$f" ]; then file $f | grep -i "ELF"; fi; done
++
    ++
    • ++
++ ++rationale: |- ++ none. ++ ++severity: high +\ No newline at end of file +diff --git a/openeuler2203/profiles/standard.profile b/openeuler2203/profiles/standard.profile +index de6890c..76fe4dd 100644 +--- a/openeuler2203/profiles/standard.profile ++++ b/openeuler2203/profiles/standard.profile +@@ -9,158 +9,496 @@ description: |- + + selections: + - package_telnet_removed ++ - package_telnet_removed.severity=high + - package_tftp-server_removed ++ - package_tftp-server_removed.severity=high + - package_tftp_removed ++ - package_tftp_removed.severity=high + - package_net-snmp_removed ++ - package_net-snmp_removed.severity=high + - accounts_no_uid_except_zero ++ - accounts_no_uid_except_zero.severity=high + - file_owner_etc_passwd ++ - file_owner_etc_passwd.severity=high + - file_groupowner_etc_passwd ++ - file_groupowner_etc_passwd.severity=high + - file_permissions_etc_passwd ++ - file_permissions_etc_passwd.severity=high + - file_owner_etc_shadow ++ - file_owner_etc_shadow.severity=high + - file_groupowner_etc_shadow ++ - file_groupowner_etc_shadow.severity=high + - file_permissions_etc_shadow ++ - file_permissions_etc_shadow.severity=high + - file_owner_etc_group ++ - file_owner_etc_group.severity=high + - file_groupowner_etc_group ++ - file_groupowner_etc_group.severity=high + - file_permissions_etc_group ++ - file_permissions_etc_group.severity=high + - file_owner_etc_gshadow ++ - file_owner_etc_gshadow.severity=high + - file_groupowner_etc_gshadow ++ - file_groupowner_etc_gshadow.severity=high + - file_permissions_etc_gshadow ++ - file_permissions_etc_gshadow.severity=high + - accounts_user_interactive_home_directory_exists ++ - accounts_user_interactive_home_directory_exists.severity=high + - gid_passwd_group_same ++ - gid_passwd_group_same.severity=high + - var_password_pam_minlen=8 + - accounts_password_pam_minlen ++ - accounts_password_pam_minlen.severity=high + - accounts_password_pam_minclass ++ - accounts_password_pam_minclass.severity=high + - var_password_pam_ucredit=0 + - accounts_password_pam_ucredit ++ - accounts_password_pam_ucredit.severity=high + - var_password_pam_lcredit=0 + - accounts_password_pam_lcredit ++ - accounts_password_pam_lcredit.severity=high + - var_password_pam_dcredit=0 + - accounts_password_pam_dcredit ++ - accounts_password_pam_dcredit.severity=high + - var_password_pam_ocredit=0 + - accounts_password_pam_ocredit ++ - accounts_password_pam_ocredit.severity=high + - accounts_password_pam_retry ++ - accounts_password_pam_retry.severity=high + - accounts_password_pam_unix_remember ++ - accounts_password_pam_unix_remember.severity=high + - set_password_hashing_algorithm_systemauth ++ - set_password_hashing_algorithm_systemauth.severity=high + - accounts_maximum_age_login_defs +- - var_accounts_minimum_age_login_defs=0 ++ - accounts_maximum_age_login_defs.severity=high ++ - var_accounts_maximum_age_login_defs=90 + - accounts_minimum_age_login_defs ++ - accounts_minimum_age_login_defs.severity=high ++ - var_accounts_minimum_age_login_defs=0 + - accounts_password_warn_age_login_defs ++ - accounts_password_warn_age_login_defs.severity=high + - sshd_disable_empty_passwords ++ - sshd_disable_empty_passwords.severity=high + - grub2_uefi_password ++ - grub2_uefi_password.severity=high + - require_singleuser_auth ++ - require_singleuser_auth.severity=high + - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_deny.severity=high + - accounts_passwords_pam_faillock_deny_root ++ - accounts_passwords_pam_faillock_deny_root.severity=high + - var_accounts_passwords_pam_faillock_unlock_time=300 + - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_unlock_time.severity=high + - var_accounts_tmout=5_min + - accounts_tmout ++ - accounts_tmout.severity=high + - sshd_allow_only_protocol2 ++ - sshd_allow_only_protocol2.severity=high + - sshd_disable_rhosts ++ - sshd_disable_rhosts.severity=high + - disable_host_auth ++ - disable_host_auth.severity=high + - configure_ssh_crypto_policy ++ - configure_ssh_crypto_policy.severity=high + - sysctl_kernel_randomize_va_space ++ - sysctl_kernel_randomize_va_space.severity=high + - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_dmesg_restrict.severity=high + - sysctl_kernel_kptr_restrict ++ - sysctl_kernel_kptr_restrict.severity=high + - no_files_unowned_by_user ++ - no_files_unowned_by_user.severity=high + - file_permissions_ungroupowned ++ - file_permissions_ungroupowned.severity=high + - dir_perms_world_writable_sticky_bits ++ - dir_perms_world_writable_sticky_bits.severity=high + - var_accounts_user_umask=077 + - accounts_umask_etc_bashrc ++ - accounts_umask_etc_bashrc.severity=high + - service_auditd_enabled ++ - service_auditd_enabled.severity=high + - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_max_log_file_action.severity=high + - auditd_data_retention_num_logs ++ - auditd_data_retention_num_logs.severity=high + - service_rsyslog_enabled ++ - service_rsyslog_enabled.severity=high + - package_python2_removed ++ - package_python2_removed.severity=high + - ensure_gpgcheck_never_disabled ++ - ensure_gpgcheck_never_disabled.severity=high + - login_accounts_are_necessary ++ - login_accounts_are_necessary.severity=high + - accounts_are_necessary ++ - accounts_are_necessary.severity=high + - group_unique_id ++ - group_unique_id.severity=high + - account_unique_id ++ - account_unique_id.severity=high + - account_unique_group_id ++ - account_unique_group_id.severity=high + - account_unique_name ++ - account_unique_name.severity=high + - group_unique_name ++ - group_unique_name.severity=high + - accounts_password_pam_dictcheck ++ - accounts_password_pam_dictcheck.severity=high + - verify_owner_password ++ - verify_owner_password.severity=high + - no_name_contained_in_password ++ - no_name_contained_in_password.severity=high + - sshd_strong_kex=standard_openeuler2203 + - sshd_use_strong_kex ++ - sshd_use_strong_kex.severity=high + - sshd_use_strong_pubkey ++ - sshd_use_strong_pubkey.severity=high + - sshd_enable_pam ++ - sshd_enable_pam.severity=high + - sshd_use_strong_macs ++ - sshd_use_strong_macs.severity=high + - sshd_use_strong_ciphers ++ - sshd_use_strong_ciphers.severity=high + - grub2_nosmap_argument_absent ++ - grub2_nosmap_argument_absent.severity=high + - grub2_nosmep_argument_absent ++ - grub2_nosmep_argument_absent.severity=high + - package_ftp_removed ++ - package_ftp_removed.severity=high + - no_empty_symlink_files ++ - no_empty_symlink_files.severity=high + - no_hide_exec_files ++ - no_hide_exec_files.severity=high + - no_lowprivilege_users_writeable_cmds_in_crontab_file ++ - no_lowprivilege_users_writeable_cmds_in_crontab_file.severity=high + - service_debug-shell_disabled ++ - service_debug-shell_disabled.severity=high + - service_avahi-daemon_disabled ++ - service_avahi-daemon_disabled.severity=high + - package_openldap-servers_removed ++ - package_openldap-servers_removed.severity=high + - service_cups_disabled ++ - service_cups_disabled.severity=high + - package_ypserv_removed ++ - package_ypserv_removed.severity=high + - package_ypbind_removed ++ - package_ypbind_removed.severity=high + - account_temp_expire_date ++ - account_temp_expire_date.severity=low + - no_netrc_files ++ - no_netrc_files.severity=low + - service_chronyd_or_ntpd_enabled +- - chronyd_or_ntpd_specify_remote_server ++ - service_chronyd_or_ntpd_enabled.severity=low ++ - ntpd_service_configure_correctly ++ - ntpd_service_configure_correctly.severity=low + - kernel_module_sctp_disabled ++ - kernel_module_sctp_disabled.severity=low + - kernel_module_tipc_disabled ++ - kernel_module_tipc_disabled.severity=low + - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_verbose.severity=low + - sshd_set_max_auth_tries ++ - sshd_set_max_auth_tries.severity=low + - sshd_max_auth_tries_value=3 + - sshd_do_not_permit_user_env ++ - sshd_do_not_permit_user_env.severity=high + - sshd_disable_user_known_hosts_ex ++ - sshd_disable_user_known_hosts_ex.severity=high + - sshd_disable_rhosts_rsa ++ - sshd_disable_rhosts_rsa.severity=high + - service_firewalld_enabled ++ - service_firewalld_enabled.severity=low + - set_firewalld_default_zone ++ - set_firewalld_default_zone.severity=low + - disable_unnecessary_service_and_ports ++ - disable_unnecessary_service_and_ports.severity=low + - service_iptables_enabled ++ - service_iptables_enabled.severity=low + - service_ip6tables_enabled +- - set_iptables_default_rule ++ - service_ip6tables_enabled.severity=low ++ - configure_ipatbles_rule_refuse ++ - configure_ipatbles_rule_refuse.severity=low + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts.severity=high + - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects.severity=high + - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects.severity=high + - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects.severity=high + - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects.severity=high + - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_all_send_redirects.severity=high + - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects.severity=high + - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter.severity=high + - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv4_ip_forward.severity=high + - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding.severity=high + - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route.severity=high + - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route.severity=high + - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies.severity=high + - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians.severity=low + - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians.severity=low + - sysctl_fs_suid_dumpable ++ - sysctl_fs_suid_dumpable.severity=high + - selinux_state ++ - selinux_state.severity=low + - selinux_policytype ++ - selinux_policytype.severity=low + - sysctl_fs_protected_symlinks ++ - sysctl_fs_protected_symlinks.severity=high + - sysctl_fs_protected_hardlinks ++ - sysctl_fs_protected_hardlinks.severity=high + - kernel_module_usb-storage_disabled ++ - kernel_module_usb-storage_disabled.severity=low + - service_crond_enabled ++ - service_crond_enabled.severity=high + - cron_and_at_config +- - audit_rules_login_events ++ - cron_and_at_config.severity=high ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events_lastlog.severity=low + - audit_rules_usergroup_modification_group ++ - audit_rules_usergroup_modification_group.severity=low + - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_gshadow.severity=low + - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_opasswd.severity=low + - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_passwd.severity=low + - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_shadow.severity=low + - audit_rules_kernel_module_install_and_remove ++ - audit_rules_kernel_module_install_and_remove.severity=low + - rsyslog_cron_logging ++ - rsyslog_cron_logging.severity=high + - ensure_minimum_permission ++ - ensure_minimum_permission.severity=high + - opened_files_count_limited ++ - opened_files_count_limited.severity=high + - sysctl_net_ipv4_tcp_timestamps ++ - sysctl_net_ipv4_tcp_timestamps.severity=low + - sysctl_net_ipv4_tcp_fin_timeout ++ - sysctl_net_ipv4_tcp_fin_timeout.severity=high + - sysctl_net_ipv4_tcp_max_syn_backlog ++ - sysctl_net_ipv4_tcp_max_syn_backlog.severity=low + - sysctl_net_ipv4_disable_arp_proxy ++ - sysctl_net_ipv4_disable_arp_proxy.severity=high + - sysctl_net_ipv4_icmp_echo_ignore_all ++ - sysctl_net_ipv4_icmp_echo_ignore_all.severity=low + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses.severity=high + - su_only_for_wheel ++ - su_only_for_wheel.severity=high + - sudo_not_for_all_users ++ - sudo_not_for_all_users.severity=high + - only_root_can_run_pkexec ++ - only_root_can_run_pkexec.severity=high + - su_always_set_path ++ - su_always_set_path.severity=high + - file_permissions_unauthorized_world_writable ++ - file_permissions_unauthorized_world_writable.severity=low + - file_permissions_unauthorized_suid ++ - file_permissions_unauthorized_suid.severity=high + - file_permissions_unauthorized_sgid ++ - file_permissions_unauthorized_sgid.severity=high ++ - network_sniffing_tools ++ - network_sniffing_tools.severity=high ++ - service_rsyncd_disabled ++ - service_rsyncd_disabled.severity=high ++ - package_openldap-clients_removed ++ - package_openldap-clients_removed.severity=high ++ - no_forward_files ++ - no_forward_files.severity=low ++ - sshd_configure_correct_interface ++ - sshd_configure_correct_interface.severity=low ++ - sshd_concurrent_unauthenticated_connections ++ - sshd_concurrent_unauthenticated_connections.severity=low ++ - sshd_configure_concurrent_sessions ++ - sshd_configure_concurrent_sessions.severity=low ++ - sshd_disable_x11_forwarding ++ - sshd_disable_x11_forwarding.severity=high ++ - sshd_configure_correct_LoginGraceTime ++ - sshd_configure_correct_LoginGraceTime.severity=low ++ - sshd_disable_AllowTcpForwardindg ++ - sshd_disable_AllowTcpForwardindg.severity=high ++ - sshd_prohibit_preset_authorized_keys ++ - sshd_prohibit_preset_authorized_keys.severity=high ++ - network_interface_binding_corrently ++ - network_interface_binding_corrently.severity=low ++ - iptables_loopback_policy_configured_corrently ++ - iptables_loopback_policy_configured_corrently.severity=low ++ - iptables_input_policy_configured_corrently ++ - iptables_input_policy_configured_corrently.severity=low ++ - iptables_output_policy_configured_corrently ++ - iptables_output_policy_configured_corrently.severity=low ++ - iptables_association_policy_configured_corrently ++ - iptables_association_policy_configured_corrently.severity=low ++ - service_nftables_enabled ++ - service_nftables_enabled.severity=low ++ - nftables_configure_default_deny_policy ++ - nftables_configure_default_deny_policy.severity=low ++ - nftables_loopback_policy_configured_corrently ++ - nftables_loopback_policy_configured_corrently.severity=low ++ - nftables_input_policy_configured_corrently ++ - nftables_input_policy_configured_corrently.severity=low ++ - nftables_output_policy_configured_corrently ++ - nftables_output_policy_configured_corrently.severity=low ++ - nftables_association_policy_configured_corrently ++ - nftables_association_policy_configured_corrently.severity=low ++ - sudoers_disable_low_privileged_configure ++ - sudoers_disable_low_privileged_configure.severity=high ++ - no_files_globally_writable_files ++ - no_files_globally_writable_files.severity=high ++ - removed_unnecessary_file_mount_support ++ - removed_unnecessary_file_mount_support.severity=high ++ - read_only_partitions_no_modified ++ - read_only_partitions_no_modified.severity=high ++ - partitions_mounted_nodev_mode ++ - partitions_mounted_nodev_mode.severity=high ++ - partitions_mounted_noexec_mode ++ - partitions_mounted_noexec_mode.severity=high ++ - partitoin_mounted_noexec_or_nodev ++ - partitoin_mounted_noexec_or_nodev.severity=high ++ - partitions_mounted_nosuid_mode ++ - partitions_mounted_nosuid_mode.severity=high ++ - audit_privilege_escalation_command ++ - audit_privilege_escalation_command.severity=low ++ - audit_rules_admin_privilege ++ - audit_rules_admin_privilege.severity=low ++ - recorded_authentication_related_event ++ - recorded_authentication_related_event.severity=high ++ - rsyslog_files_permissions ++ - rsyslog_files_permissions.severity=low ++ - partitions_manage_hard_drive_data ++ - partitions_manage_hard_drive_data.severity=low ++ - uninstall_debugging_tools ++ - uninstall_debugging_tools.severity=high ++ - uninstall_development_and_compliation_tools ++ - uninstall_development_and_compliation_tools.severity=high ++ - package_xorg-x11-server-common_removed ++ - package_xorg-x11-server-common_removed.severity=high ++ - package_httpd_removed ++ - package_httpd_removed.severity=low ++ - service_smb_disabled ++ - service_smb_disabled.severity=low ++ - service_named_disabled ++ - service_named_disabled.severity=high ++ - service_nfs-server_disabled ++ - service_nfs-server_disabled.severity=low ++ - service_rpcbind_disabled ++ - service_rpcbind_disabled.severity=low ++ - service_dhcpd_disabled ++ - service_dhcpd_disabled.severity=low ++ - configure_first_logging_change_password ++ - configure_first_logging_change_password.severity=high ++ - sshd_disable_root_login ++ - sshd_disable_root_login.severity=high ++ - warning_banners_contain_reasonable_information ++ - warning_banners_contain_reasonable_information.severity=high ++ - diasable_root_accessing_system ++ - diasable_root_accessing_system.severity=low ++ - wireless_disable_interfaces ++ - wireless_disable_interfaces.severity=low ++ - sshd_enable_warning_banner ++ - sshd_enable_warning_banner.severity=low ++ - disabled_SysRq ++ - disabled_SysRq.severity=high ++ - sysctl_kernel_yama_ptrace_scope ++ - sysctl_kernel_yama_ptrace_scope.severity=low ++ - disabled_unconfined_service_t_programs ++ - disabled_unconfined_service_t_programs.severity=low ++ - enabled_seccomp ++ - enabled_seccomp.severity=low ++ - define_ld_lib_path_correctly ++ - define_ld_lib_path_correctly.severity=high ++ - define_path_strictly ++ - define_path_strictly.severity=low ++ - grub2_audit_argument ++ - grub2_audit_argument.severity=low ++ - grub2_audit_backlog_limit_argument ++ - grub2_audit_backlog_limit_argument.severity=low ++ - audit_rules_immutable ++ - audit_rules_immutable.severity=low ++ - auditd_data_retention_max_log_file ++ - auditd_data_retention_max_log_file.severity=high ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_retention_max_log_file_action.severity=high ++ - auditd_data_retention_space_left ++ - auditd_data_retention_space_left.severity=low ++ - auditd_data_retention_space_left_action ++ - auditd_data_retention_space_left_action.severity=low ++ - auditd_data_retention_admin_space_left ++ - auditd_data_retention_admin_space_left.severity=low ++ - auditd_data_retention_admin_space_left_action ++ - auditd_data_retention_admin_space_left_action.severity=low ++ - auditd_data_disk_error_action ++ - auditd_data_disk_error_action.severity=low ++ - auditd_data_disk_full_action ++ - auditd_data_disk_full_action.severity=low ++ - audit_rules_sysadmin_actions ++ - audit_rules_sysadmin_actions.severity=low ++ - audit_rules_session_events ++ - audit_rules_session_events.severity=low ++ - audit_rules_time_adjtimex ++ - audit_rules_time_adjtimex.severity=low ++ - audit_rules_time_clock_settime ++ - audit_rules_time_clock_settime.severity=low ++ - audit_rules_time_settimeofday ++ - audit_rules_time_settimeofday.severity=low ++ - audit_rules_time_stime ++ - audit_rules_time_stime.severity=low ++ - audit_rules_time_watch_localtime ++ - audit_rules_time_watch_localtime.severity=low ++ - audit_rules_mac_modification ++ - audit_rules_mac_modification.severity=low ++ - audit_rules_networkconfig_modification ++ - audit_rules_networkconfig_modification.severity=low ++ - audit_rules_successful_file_modification ++ - audit_rules_successful_file_modification.severity=low ++ - audit_rules_unsuccessful_file_modification_open ++ - audit_rules_unsuccessful_file_modification_open.severity=low ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_ftruncate.severity=low ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_creat.severity=low ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_openat.severity=low ++ - audit_rules_file_deletion_events_rename ++ - audit_rules_file_deletion_events_rename.severity=low ++ - audit_rules_file_deletion_events_renameat ++ - audit_rules_file_deletion_events_renameat.severity=low ++ - audit_rules_file_deletion_events_unlink ++ - audit_rules_file_deletion_events_unlink.severity=low ++ - audit_rules_file_deletion_events_unlinkat ++ - audit_rules_file_deletion_events_unlinkat.severity=low ++ - audit_rules_media_export ++ - audit_rules_media_export.severity=low ++ - configure_service_logging ++ - configure_service_logging.severity=low ++ - configure_dump_journald_log ++ - configure_dump_journald_log.severity=high ++ - configure_rsyslog_log_rotate ++ - configure_rsyslog_log_rotate.severity=high ++ - rsyslog_remote_loghost ++ - rsyslog_remote_loghost.severity=low ++ - rsyslog_accept_remote_messages_tcp ++ - rsyslog_accept_remote_messages_tcp.severity=low ++ - rsyslog_accept_remote_messages_udp ++ - rsyslog_accept_remote_messages_udp.severity=low ++ - ima_verification ++ - ima_verification.severity=low ++ - enable_aide_detection ++ - enable_aide_detection.severity=low ++ - service_haveged_enabled ++ - service_haveged_enabled.severity=low ++ - configure_crypto_policy ++ - configure_crypto_policy.severity=low +\ No newline at end of file +diff --git a/shared/templates/template_OVAL_audit_rules_file_deletion_events b/shared/templates/template_OVAL_audit_rules_file_deletion_events +index bbf3edd..7be7152 100644 +--- a/shared/templates/template_OVAL_audit_rules_file_deletion_events ++++ b/shared/templates/template_OVAL_audit_rules_file_deletion_events +@@ -5,34 +5,63 @@ + {{{- oval_affected(products) }}} + The deletion of files should be audited. + ++ {{% if product in ['openeuler2203'] %}} ++ + +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- + +- +- +- +- +- +- +- +- +- ++ ++ {{% else %}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + +- + +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% endif %}} + + + +@@ -71,4 +100,40 @@ + 1 + + ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:[\s]*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:[\s]*-F\s+auid>=1000[\s]+)(?:[\s]*-F\s+auid!=(-1|unset)[\s]+)[\s]*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:[\s]*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:[\s]*-F\s+auid>=1000[\s]+)(?:[\s]*-F\s+auid!=(-1|unset)[\s]+)[\s]*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:[\s]*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:[\s]*-F\s+auid>=1000[\s]+)(?:[\s]*-F\s+auid!=(-1|unset)[\s]+)[\s]*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:[\s]*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:[\s]*-F\s+auid>=1000[\s]+)(?:[\s]*-F\s+auid!=(-1|unset)[\s]+)[\s]*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ + +diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification +index 480d5de..28cd7e1 100644 +--- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification ++++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification +@@ -5,42 +5,79 @@ + {{{- oval_affected(products) }}} + Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. + ++ {{% if product in ['openeuler2203'] %}} ++ + +- +- +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + +- + +- +- +- +- +- +- +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + ++ + ++ {{% else %}} ++ + +- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ {{% endif %}} + + + +@@ -164,4 +201,78 @@ + 1 + + ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EACCES[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EPERM[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EACCES[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EPERM[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EACCES[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EPERM[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EACCES[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+{{{ NAME }}}[\s]+|([\s]+|[,]){{{ NAME }}}([\s]+|[,])))(?:-F\s+exit=-EPERM[\s]*)(?:-F\s+auid>=1000[\s]+)(?:.*-F\s+auid!=(-1|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ ++ 1 ++ ++ + +diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument +index 1fd8ec7..ecb7c2e 100644 +--- a/shared/templates/template_OVAL_grub2_bootloader_argument ++++ b/shared/templates/template_OVAL_grub2_bootloader_argument +@@ -5,6 +5,13 @@ + {{{- oval_affected(products) }}} + Look for argument {{{ ARG_NAME_VALUE }}} in the kernel line in /etc/default/grub. + ++ {{% if product in ['openeuler2203'] %}} ++ ++ ++ ++ ++ ++ {{% else %}} + + {{% if product in ["rhel7", "ol7", "rhv4"] %}} + + {{% endif %}} + ++ {{% endif %}} + + + {{% if product in ["rhel7", "ol7", "rhv4"] %}} +@@ -95,4 +103,43 @@ + ^.*{{{ ARG_NAME_VALUE }}}.*$ + + ++ ++ ++ ++ ++ ++ /boot/grub2/grub.cfg ++ ^[\s]*.*{{{ ARG_NAME_VALUE }}}[\s]*.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /boot/efi/EFI/openEuler/grub ++ ^[\s]*.*{{{ ARG_NAME_VALUE }}}[\s]*.*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ ++ /etc/default/grub ++ ^[\s]*.*{{{ ARG_NAME_VALUE }}}[\s]*.*$ ++ 1 ++ ++ + +diff --git a/shared/templates/template_OVAL_service_enabled b/shared/templates/template_OVAL_service_enabled +index 5958a97..09cbcf3 100644 +--- a/shared/templates/template_OVAL_service_enabled ++++ b/shared/templates/template_OVAL_service_enabled +@@ -12,6 +12,12 @@ + + The {{{ SERVICENAME }}} service should be enabled if possible. + ++ {{% if product in ["openeuler2203"] %}} ++ ++ ++ ++ ++ {{% else %}} + + + +@@ -22,6 +28,7 @@ + + + ++ {{% endif %}} + + + +-- +2.42.0.windows.2 + diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 9f05ae5..6884ec9 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -1,6 +1,6 @@ Name: scap-security-guide Version: 0.1.49 -Release: 8 +Release: 11 Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -15,6 +15,7 @@ Patch0006:init-openEuler-ssg-project.patch Patch0007:enable-76-rules-for-openEuler.patch Patch0008:enable-54-rules-for-openEuler.patch Patch0009:add-15-rules-for-openeuler.patch +Patch0010:optimize-80-rules-for-openEuler.patch BuildArch: noarch BuildRequires: libxslt, expat, python3, openscap-scanner >= 1.2.5, cmake >= 3.8, python3-jinja2, python3-PyYAML @@ -69,6 +70,15 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Fri Dec 22 2023 wangqingsan - 0.1.49-11 +- elevate 80 rules for openEuler + +* Fri Dec 8 2023 wangqingsan - 0.1.49-10 +- enable 80 rules for openEuler + +* Fri Nov 17 2023 wangqingsan - 0.1.49-9 +- enable 80 rules for openEuler + * Fri Aug 11 2023 steven - 0.1.49-8 - enable 15 rules for openEuler -- Gitee